Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

is there a tool to show what group membership is used for a user to access files folders

Posted on 2011-03-17
5
402 Views
Last Modified: 2013-12-07
I have inherited an AD that has a ton of Security groups defined that are causing the overview of what is used to allow who access to what is very difficult to get to grips with.

Is it possible to query a tool with a file/folder and a username, and have returned the group membership that is used to give access to the file? Even better would be if the tool showed through which following membership access was granted...

The Security groups are sometimes 6-7 memberships deep, and that is not a practicable way of using them to control accessibilty... not in my book anyway.


Apologies if my english gets convoluted, I'm not so good at describing technical issues in english.

Best Regards
Panthom
0
Comment
Question by:Panthom
5 Comments
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155429
Using a tools such as called cacls.exe or xacls.exe. They are Windows 2000/2003 resource kit tools. If you run these and add  /? at the end, you'll be given syntax to use with the command.

Cacls link - http://technet.microsoft.com/en-us/library/bb490872.aspx
xacls link - http://tech.cuip.net/logins/docs/Xacls-overview.htm#2
0
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155446
Another tool is SubInACL.exe.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35155479
Hi,

you can use dump sec tool. This will give you which user/group has access on it.

you can install powershell v2 and quest ad command lets tools then you can use
get-acl

and

get-qadmemberof -identity username

this will give you the groupmembership of the user
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 35155776
You will need a third party utility. The ones mentioned already will give you the security group that has access but you will then need to enumerate all the sub groups and users to see who has access. The quest tools will just give you the users in the groups. Take a look at Security Explorer from script logic, I think this will give you what you are looking for.

http://www.scriptlogic.com/products/security-explorer/
0
 
LVL 1

Expert Comment

by:fswilliams
ID: 35156117
I use the following powershell script to enumerate share perms.

save as some.ps1 then run as some.ps1 \\server\sharename

$error.clear()
$erroractionpreference = "SilentlyContinue"

function GetExplicits ($folders)
{
   foreach ($i in $folders)
   {
   $acllist = get-acl $i.fullname 
   foreach ($x in $acllist.Access)
      {
      If ($x.IsInherited -eq $false)
         {
         Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
         $spacing = $true
         }     
      }
   If ($spacing){ Write-Host "";$spacing=$null }
   }
}

If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path!";break }

Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist

Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

Open in new window

0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question