Solved

AD access audit

Posted on 2012-04-02
9
358 Views
Last Modified: 2012-04-03
Is there any easy way or even any way (easy or not) to specify either a user or group as a parameter and see what resources (ACL) they have access to on a given server/domain? It sounds like something someone must have designed a tool or script for but I cant seem to find anything.
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
ID: 37796618
You will want to use DSrevoke for this.

http://www.microsoft.com/download/en/details.aspx?id=19288 

The command will be similar to below.

dsrevoke /report /domain:domainname domainname\username or group.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796620
I think I may have got my request wording wrong, Im on about access to files on file shares/directories.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 37796722
There are actually a fair amount of good free tools that can help you figure out what permissions are there

NTFS permissions reporter is the new guy in town

http://www.cjwdev.co.uk/Software/NtfsReports/Info.html

Haven't used that tool a lot yet but I've used his adtools and those are good so I'm guessing this one is just as good.   You get a lot for a free tool

http://www.systemtools.com/somarsoft/?somarsoft.com
dumpsec is an oldie but goodie, dumps reports into excel for you, another free tool, used this a lot

 http://www.solarwinds.com/products/freetools/permissions_analyzer_for_active_directory/

solar winds is ok, another free tool, I wish it didn't have the name Active Directory because it goes through NTFS not AD permissions.

What you are doing is the right thing, look what is there now and then carefully plan the restructuring.

You won't be a junior admin for long :)

Thanks

Mike
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 37796906
Id second dumpsec for the security permissions as well. Enumerating permissions, especially on larger shares, can be a painful process. So far dumpsec has been the best solution I have found for it. Good luck.
0
 
LVL 3

Author Comment

by:pma111
ID: 37797475
Thanks both, is the best we are going to get be one where username/share is specified as a parameter - as opposed to "for all our servers here is who can access what" in a form of monster report?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797744
There are some filter options in NTFS Reports that can help but not to search across all file servers like that.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37797751
Ok mike - can you clarify what the filters can offer?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797758
There are 11 filters, can't type them all out right now but you can download it and check them out.  Note to use all the filters you do need the full version

Thanks


Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37799791
Will split points, your input into this thread always welcome:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_27659927.html
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question