Solved

Get admin rights

Posted on 2013-06-19
4
289 Views
Last Modified: 2013-06-24
Hi,

I was asked to chart all administrative permissions in a domain.

- What accounts and groups have administrative permissions
- Chart all the permissions on file shares and subfolders

how to achieve this?

(windows 2008 R2 domain)
0
Comment
Question by:SvenIA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 1

Accepted Solution

by:
jamaicanbishop earned 167 total points
ID: 39260449
Take a look at this diagram it outlines admin groups in AD

http://technet.microsoft.com/en-us/library/cc771990.aspx

Otherwise it will be a somewhat manual process unless you have a tool such as Privilege Manager that does reporting on this.
0
 
LVL 10

Assisted Solution

by:jmanishbabu
jmanishbabu earned 167 total points
ID: 39261589
Chart all the permissions on file shares and subfolders

One could use the previous command to check what permissions a user has on a certain directory.
However, sometimes SHOWACLS from the Windows Server 2003 Resource Kit Tools is a better alternative:

      CD /D d:\directory2check
      SHOWACLS /U:domain\userid

Check all the Commnads here

http://www.robvanderwoude.com/ntadmincommands.php#Cmd05
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 39261742
Hi.

> What accounts and groups have administrative permissions
Already wrong question. Correct would be: "What account or group is member of the local admins group at what computer?" and "Which accounts are members of domain admins (which are local admins on any domain-joined computer)?"
To check this, you would need startup (or shutdown-) scripts that execute the following command:
net localgroup administrators >\\server\share\logs\localAdmins\%computername%.txt

Open in new window

> Chart all the permissions on file shares and subfolders
Icacls.exe can be used or accesscheck. First one is part of windows (Vista or later), second can be downloaded at Microsoft.
0
 
LVL 7

Author Closing Comment

by:SvenIA
ID: 39270765
Thank for the information....
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question