Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AD access audit

Posted on 2012-04-02
9
Medium Priority
?
367 Views
Last Modified: 2012-04-03
Is there any easy way or even any way (easy or not) to specify either a user or group as a parameter and see what resources (ACL) they have access to on a given server/domain? It sounds like something someone must have designed a tool or script for but I cant seem to find anything.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1000 total points
ID: 37796618
You will want to use DSrevoke for this.

http://www.microsoft.com/download/en/details.aspx?id=19288 

The command will be similar to below.

dsrevoke /report /domain:domainname domainname\username or group.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796620
I think I may have got my request wording wrong, Im on about access to files on file shares/directories.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 37796722
There are actually a fair amount of good free tools that can help you figure out what permissions are there

NTFS permissions reporter is the new guy in town

http://www.cjwdev.co.uk/Software/NtfsReports/Info.html

Haven't used that tool a lot yet but I've used his adtools and those are good so I'm guessing this one is just as good.   You get a lot for a free tool

http://www.systemtools.com/somarsoft/?somarsoft.com
dumpsec is an oldie but goodie, dumps reports into excel for you, another free tool, used this a lot

 http://www.solarwinds.com/products/freetools/permissions_analyzer_for_active_directory/

solar winds is ok, another free tool, I wish it didn't have the name Active Directory because it goes through NTFS not AD permissions.

What you are doing is the right thing, look what is there now and then carefully plan the restructuring.

You won't be a junior admin for long :)

Thanks

Mike
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 37796906
Id second dumpsec for the security permissions as well. Enumerating permissions, especially on larger shares, can be a painful process. So far dumpsec has been the best solution I have found for it. Good luck.
0
 
LVL 3

Author Comment

by:pma111
ID: 37797475
Thanks both, is the best we are going to get be one where username/share is specified as a parameter - as opposed to "for all our servers here is who can access what" in a form of monster report?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797744
There are some filter options in NTFS Reports that can help but not to search across all file servers like that.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37797751
Ok mike - can you clarify what the filters can offer?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37797758
There are 11 filters, can't type them all out right now but you can download it and check them out.  Note to use all the filters you do need the full version

Thanks


Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 37799791
Will split points, your input into this thread always welcome:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_27659927.html
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question