Solved

alternative to security > advanced > effective permissions

Posted on 2013-06-26
5
416 Views
Last Modified: 2013-07-15
I have been tasked with auditing 5x windows 2003 file servers to see what data on the many shares is accessible by domain wide groups such as everyone and domain users. Aside from just creating an account and only adding it to the domain users group, and then manually mounting the shares and seeing what access can I get to, are there any tools that can do an effective permissions report?

I did find sysinternals "accessChk" however I dont think its going to work, from what I gather it is not reporting on nested groups, so if domain users is added to a group, it wont report it as a finding. So an effective permissions report whether the domain users group is added to the ACL directly, or has access as it is a nested group within a group - would be fantastic. From what I can see accessEnum wont work either due to the same problem.

There must be a more sophisticated way of doing this rather than manual trawling.
0
Comment
Question by:pma111
5 Comments
 
LVL 9

Accepted Solution

by:
VirastaR earned 167 total points
ID: 39277364
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
ID: 39277407
If the acl is set for a group and not a specified user than it will only return the 'group' and not a specific user.. you have to know what users are members of a particular group and then cross reference the information.

another way is to get a list of users and then run a script on all directories as that user and report the information out.
0
 
LVL 3

Author Comment

by:pma111
ID: 39280776
Does accessEnum only work at folder level (or can you configure it to) and not report on every single file on a share?
0
 
LVL 3

Author Comment

by:pma111
ID: 39280804
>another way is to get a list of users and then run a script on all directories as that user and report the information out.

Have you ever come across such?
0
 

Assisted Solution

by:Nate15329
Nate15329 earned 166 total points
ID: 39282781
DumpSec (freeware) works pretty well for dumping security permissions for file, network, shares, etc.

Run as domain admin

Just don't install hydra when running the setup.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Group policy not applying 5 76
Shadow copies windows server 2003 2 79
SSL certificate pack 6 158
Windows 2003 domain controller crashed BDC is 2008 server 4 64
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now