Solved

AD access audit

Posted on 2012-04-02
9
351 Views
Last Modified: 2012-04-03
Is there any easy way or even any way (easy or not) to specify either a user or group as a parameter and see what resources (ACL) they have access to on a given server/domain? It sounds like something someone must have designed a tool or script for but I cant seem to find anything.
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
ID: 37796618
You will want to use DSrevoke for this.

http://www.microsoft.com/download/en/details.aspx?id=19288

The command will be similar to below.

dsrevoke /report /domain:domainname domainname\username or group.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796620
I think I may have got my request wording wrong, Im on about access to files on file shares/directories.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 37796722
There are actually a fair amount of good free tools that can help you figure out what permissions are there

NTFS permissions reporter is the new guy in town

http://www.cjwdev.co.uk/Software/NtfsReports/Info.html

Haven't used that tool a lot yet but I've used his adtools and those are good so I'm guessing this one is just as good.   You get a lot for a free tool

http://www.systemtools.com/somarsoft/?somarsoft.com
dumpsec is an oldie but goodie, dumps reports into excel for you, another free tool, used this a lot

 http://www.solarwinds.com/products/freetools/permissions_analyzer_for_active_directory/

solar winds is ok, another free tool, I wish it didn't have the name Active Directory because it goes through NTFS not AD permissions.

What you are doing is the right thing, look what is there now and then carefully plan the restructuring.

You won't be a junior admin for long :)

Thanks

Mike
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 37796906
Id second dumpsec for the security permissions as well. Enumerating permissions, especially on larger shares, can be a painful process. So far dumpsec has been the best solution I have found for it. Good luck.
0
 
LVL 3

Author Comment

by:pma111
ID: 37797475
Thanks both, is the best we are going to get be one where username/share is specified as a parameter - as opposed to "for all our servers here is who can access what" in a form of monster report?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797744
There are some filter options in NTFS Reports that can help but not to search across all file servers like that.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37797751
Ok mike - can you clarify what the filters can offer?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797758
There are 11 filters, can't type them all out right now but you can download it and check them out.  Note to use all the filters you do need the full version

Thanks


Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37799791
Will split points, your input into this thread always welcome:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_27659927.html
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now