Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

is there a tool to show what group membership is used for a user to access files folders

I have inherited an AD that has a ton of Security groups defined that are causing the overview of what is used to allow who access to what is very difficult to get to grips with.

Is it possible to query a tool with a file/folder and a username, and have returned the group membership that is used to give access to the file? Even better would be if the tool showed through which following membership access was granted...

The Security groups are sometimes 6-7 memberships deep, and that is not a practicable way of using them to control accessibilty... not in my book anyway.


Apologies if my english gets convoluted, I'm not so good at describing technical issues in english.

Best Regards
Panthom
0
Panthom
Asked:
Panthom
1 Solution
 
RdsterlingCommented:
Using a tools such as called cacls.exe or xacls.exe. They are Windows 2000/2003 resource kit tools. If you run these and add  /? at the end, you'll be given syntax to use with the command.

Cacls link - http://technet.microsoft.com/en-us/library/bb490872.aspx
xacls link - http://tech.cuip.net/logins/docs/Xacls-overview.htm#2
0
 
RdsterlingCommented:
Another tool is SubInACL.exe.
0
 
NavdeepCommented:
Hi,

you can use dump sec tool. This will give you which user/group has access on it.

you can install powershell v2 and quest ad command lets tools then you can use
get-acl

and

get-qadmemberof -identity username

this will give you the groupmembership of the user
0
 
KenMcFCommented:
You will need a third party utility. The ones mentioned already will give you the security group that has access but you will then need to enumerate all the sub groups and users to see who has access. The quest tools will just give you the users in the groups. Take a look at Security Explorer from script logic, I think this will give you what you are looking for.

http://www.scriptlogic.com/products/security-explorer/
0
 
fswilliamsCommented:
I use the following powershell script to enumerate share perms.

save as some.ps1 then run as some.ps1 \\server\sharename

$error.clear()
$erroractionpreference = "SilentlyContinue"

function GetExplicits ($folders)
{
   foreach ($i in $folders)
   {
   $acllist = get-acl $i.fullname 
   foreach ($x in $acllist.Access)
      {
      If ($x.IsInherited -eq $false)
         {
         Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
         $spacing = $true
         }     
      }
   If ($spacing){ Write-Host "";$spacing=$null }
   }
}

If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path!";break }

Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist

Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

Open in new window

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now