Solved

AD access audit

Posted on 2012-04-02
9
361 Views
Last Modified: 2012-04-03
Is there any easy way or even any way (easy or not) to specify either a user or group as a parameter and see what resources (ACL) they have access to on a given server/domain? It sounds like something someone must have designed a tool or script for but I cant seem to find anything.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
ID: 37796618
You will want to use DSrevoke for this.

http://www.microsoft.com/download/en/details.aspx?id=19288 

The command will be similar to below.

dsrevoke /report /domain:domainname domainname\username or group.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796620
I think I may have got my request wording wrong, Im on about access to files on file shares/directories.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 37796722
There are actually a fair amount of good free tools that can help you figure out what permissions are there

NTFS permissions reporter is the new guy in town

http://www.cjwdev.co.uk/Software/NtfsReports/Info.html

Haven't used that tool a lot yet but I've used his adtools and those are good so I'm guessing this one is just as good.   You get a lot for a free tool

http://www.systemtools.com/somarsoft/?somarsoft.com
dumpsec is an oldie but goodie, dumps reports into excel for you, another free tool, used this a lot

 http://www.solarwinds.com/products/freetools/permissions_analyzer_for_active_directory/

solar winds is ok, another free tool, I wish it didn't have the name Active Directory because it goes through NTFS not AD permissions.

What you are doing is the right thing, look what is there now and then carefully plan the restructuring.

You won't be a junior admin for long :)

Thanks

Mike
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 37796906
Id second dumpsec for the security permissions as well. Enumerating permissions, especially on larger shares, can be a painful process. So far dumpsec has been the best solution I have found for it. Good luck.
0
 
LVL 3

Author Comment

by:pma111
ID: 37797475
Thanks both, is the best we are going to get be one where username/share is specified as a parameter - as opposed to "for all our servers here is who can access what" in a form of monster report?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797744
There are some filter options in NTFS Reports that can help but not to search across all file servers like that.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37797751
Ok mike - can you clarify what the filters can offer?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797758
There are 11 filters, can't type them all out right now but you can download it and check them out.  Note to use all the filters you do need the full version

Thanks


Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37799791
Will split points, your input into this thread always welcome:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_27659927.html
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question