Solved

is there a tool to show what group membership is used for a user to access files folders

Posted on 2011-03-17
5
401 Views
Last Modified: 2013-12-07
I have inherited an AD that has a ton of Security groups defined that are causing the overview of what is used to allow who access to what is very difficult to get to grips with.

Is it possible to query a tool with a file/folder and a username, and have returned the group membership that is used to give access to the file? Even better would be if the tool showed through which following membership access was granted...

The Security groups are sometimes 6-7 memberships deep, and that is not a practicable way of using them to control accessibilty... not in my book anyway.


Apologies if my english gets convoluted, I'm not so good at describing technical issues in english.

Best Regards
Panthom
0
Comment
Question by:Panthom
5 Comments
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155429
Using a tools such as called cacls.exe or xacls.exe. They are Windows 2000/2003 resource kit tools. If you run these and add  /? at the end, you'll be given syntax to use with the command.

Cacls link - http://technet.microsoft.com/en-us/library/bb490872.aspx
xacls link - http://tech.cuip.net/logins/docs/Xacls-overview.htm#2
0
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155446
Another tool is SubInACL.exe.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35155479
Hi,

you can use dump sec tool. This will give you which user/group has access on it.

you can install powershell v2 and quest ad command lets tools then you can use
get-acl

and

get-qadmemberof -identity username

this will give you the groupmembership of the user
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 35155776
You will need a third party utility. The ones mentioned already will give you the security group that has access but you will then need to enumerate all the sub groups and users to see who has access. The quest tools will just give you the users in the groups. Take a look at Security Explorer from script logic, I think this will give you what you are looking for.

http://www.scriptlogic.com/products/security-explorer/
0
 
LVL 1

Expert Comment

by:fswilliams
ID: 35156117
I use the following powershell script to enumerate share perms.

save as some.ps1 then run as some.ps1 \\server\sharename

$error.clear()
$erroractionpreference = "SilentlyContinue"

function GetExplicits ($folders)
{
   foreach ($i in $folders)
   {
   $acllist = get-acl $i.fullname 
   foreach ($x in $acllist.Access)
      {
      If ($x.IsInherited -eq $false)
         {
         Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
         $spacing = $true
         }     
      }
   If ($spacing){ Write-Host "";$spacing=$null }
   }
}

If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path!";break }

Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist

Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

Open in new window

0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question