Solved

alternative to security > advanced > effective permissions

Posted on 2013-06-26
5
418 Views
Last Modified: 2013-07-15
I have been tasked with auditing 5x windows 2003 file servers to see what data on the many shares is accessible by domain wide groups such as everyone and domain users. Aside from just creating an account and only adding it to the domain users group, and then manually mounting the shares and seeing what access can I get to, are there any tools that can do an effective permissions report?

I did find sysinternals "accessChk" however I dont think its going to work, from what I gather it is not reporting on nested groups, so if domain users is added to a group, it wont report it as a finding. So an effective permissions report whether the domain users group is added to the ACL directly, or has access as it is a nested group within a group - would be fantastic. From what I can see accessEnum wont work either due to the same problem.

There must be a more sophisticated way of doing this rather than manual trawling.
0
Comment
Question by:pma111
5 Comments
 
LVL 9

Accepted Solution

by:
VirastaR earned 167 total points
ID: 39277364
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
ID: 39277407
If the acl is set for a group and not a specified user than it will only return the 'group' and not a specific user.. you have to know what users are members of a particular group and then cross reference the information.

another way is to get a list of users and then run a script on all directories as that user and report the information out.
0
 
LVL 3

Author Comment

by:pma111
ID: 39280776
Does accessEnum only work at folder level (or can you configure it to) and not report on every single file on a share?
0
 
LVL 3

Author Comment

by:pma111
ID: 39280804
>another way is to get a list of users and then run a script on all directories as that user and report the information out.

Have you ever come across such?
0
 

Assisted Solution

by:Nate15329
Nate15329 earned 166 total points
ID: 39282781
DumpSec (freeware) works pretty well for dumping security permissions for file, network, shares, etc.

Run as domain admin

Just don't install hydra when running the setup.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question