Solved

is there a tool to show what group membership is used for a user to access files folders

Posted on 2011-03-17
5
405 Views
Last Modified: 2013-12-07
I have inherited an AD that has a ton of Security groups defined that are causing the overview of what is used to allow who access to what is very difficult to get to grips with.

Is it possible to query a tool with a file/folder and a username, and have returned the group membership that is used to give access to the file? Even better would be if the tool showed through which following membership access was granted...

The Security groups are sometimes 6-7 memberships deep, and that is not a practicable way of using them to control accessibilty... not in my book anyway.


Apologies if my english gets convoluted, I'm not so good at describing technical issues in english.

Best Regards
Panthom
0
Comment
Question by:Panthom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155429
Using a tools such as called cacls.exe or xacls.exe. They are Windows 2000/2003 resource kit tools. If you run these and add  /? at the end, you'll be given syntax to use with the command.

Cacls link - http://technet.microsoft.com/en-us/library/bb490872.aspx
xacls link - http://tech.cuip.net/logins/docs/Xacls-overview.htm#2
0
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155446
Another tool is SubInACL.exe.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35155479
Hi,

you can use dump sec tool. This will give you which user/group has access on it.

you can install powershell v2 and quest ad command lets tools then you can use
get-acl

and

get-qadmemberof -identity username

this will give you the groupmembership of the user
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 35155776
You will need a third party utility. The ones mentioned already will give you the security group that has access but you will then need to enumerate all the sub groups and users to see who has access. The quest tools will just give you the users in the groups. Take a look at Security Explorer from script logic, I think this will give you what you are looking for.

http://www.scriptlogic.com/products/security-explorer/
0
 
LVL 1

Expert Comment

by:fswilliams
ID: 35156117
I use the following powershell script to enumerate share perms.

save as some.ps1 then run as some.ps1 \\server\sharename

$error.clear()
$erroractionpreference = "SilentlyContinue"

function GetExplicits ($folders)
{
   foreach ($i in $folders)
   {
   $acllist = get-acl $i.fullname 
   foreach ($x in $acllist.Access)
      {
      If ($x.IsInherited -eq $false)
         {
         Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
         $spacing = $true
         }     
      }
   If ($spacing){ Write-Host "";$spacing=$null }
   }
}

If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path!";break }

Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist

Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

Open in new window

0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question