Indyrb
asked on
Need help with Windows permissions
I have an issue where there are multiple groups that have access to a folder, unfortunately authenicated users also have access
The problem is we dont want authenticated users to have access and only the groups assigned.
How can we find out which user ius accessing the folder/files and what access permissions they have, as we need to create a dept group
We need to know who accessed or who can access the share and find out if they accessed via the authicated group..
or via the assigned group..
Is there a powershell script to take every user via ADS, and query the folder and find out if they got access via the authenicated users group.
The problem is we dont want authenticated users to have access and only the groups assigned.
How can we find out which user ius accessing the folder/files and what access permissions they have, as we need to create a dept group
We need to know who accessed or who can access the share and find out if they accessed via the authicated group..
or via the assigned group..
Is there a powershell script to take every user via ADS, and query the folder and find out if they got access via the authenicated users group.
Try AccessEnum by Microsoft. You can even export the results.
ASKER
problem is 2003... what options do I have with auditing and we have 1000s of users with limited space...
my suggestion would be to remove inherritance on the folder's permission, then select to copy the permission, then remove the authenticated users group from the security properties. and you would have the desired result?
Another option could to be to enable quotas on the drive, but allow everyone a sort of unlimited amount for their quota, and then see how that list populates, it may include irrelevant users if those access other folders only, but would give you a list of users whom should definitely be considered..
regards
Bronwen
Another option could to be to enable quotas on the drive, but allow everyone a sort of unlimited amount for their quota, and then see how that list populates, it may include irrelevant users if those access other folders only, but would give you a list of users whom should definitely be considered..
regards
Bronwen
Can you clarify? Once you find out who accessed as an authenticated user, what does this do for you? Won't you move the users to a certain group anyway? Assuming you remove authenticated user rights, and move the users to their group, when the user next logs on, all will be fine.
ASKER
so there are thousands of users.. dome need access and some dont.. we need to find out who accessed the share via the authenticated users group do we can decide access... only those that wrote or read from the share in x amount of days, as thousand of users are easily within forest... problem is we can't remove authenticated users as legit people are broke.. too many to go one by ond. help desk calls crazy.. so can you explain quota.. or possibly getting list of users that read and write on share. their total permissions and group they belong to. cuz if authenticated user group is how they got in we can go through that list add to new group then remove authenticated user group afterwards.. doing it now breaks too many unknown users
ASKER
No not all users will be moved..
ASKER
there are 1000000s of users in ads which can access since they belong to authenticated users we need to get those that wrote, read or browsed the shared and traverse their group membership
you said you didnt want authenticated users (the group) to have access, and sorry, I thought you had a group of users already that you could apply as having read/write etc access..
I also missed the point about having to generate a group from it.
I've had various thoughts on this, and somehow got sidetracked when I mentioned the above by what someone else posted, but anyway, back on track then as I initially wanted to respond with..
I'm going suggest that you try it, but I dont know if it would work, however something may say, that it should...
I've previously created a group policy that on a user's logon, it would execute a script which would collect the users ad logon account name and match it to the server where they logged onto...
It was more in an attempt to merge users and computers (for auditing purposes)
but anyway, I'm thinking that you could potentially collect user information that access the server as it would log some authentication requests and object access logs in the event viewer, which may be able to execute a script by Group policy, provided that the GPO is configured properly... Ie, allowed to execute - authenticated users and the server's computer name also..
I'm going to be honest, its been 4-5 years since I last touched AD GPO's but I got something to work and you may need to fiddle with it and see if you could make it work.
the logon policy may need to be executed by the computer or by the user so place the script in both places.
the script should contain something easy like this
echo %username% , %hostname% , %date% >> \\networkserver\networksha re\datacol lectionfor group.txt
or
echo %username% >> C:\datacollection\groupmem bers.txt
this (any one line) could be placed in a .bat file and used as a logon script. just ensure that the sharename allows read/write to everyone and or that the directories exist etc. :)
this should be able to narrow it down to a large group of users. (use excel to remove duplicate users and then you can easily add them into a security group.
I also missed the point about having to generate a group from it.
I've had various thoughts on this, and somehow got sidetracked when I mentioned the above by what someone else posted, but anyway, back on track then as I initially wanted to respond with..
I'm going suggest that you try it, but I dont know if it would work, however something may say, that it should...
I've previously created a group policy that on a user's logon, it would execute a script which would collect the users ad logon account name and match it to the server where they logged onto...
It was more in an attempt to merge users and computers (for auditing purposes)
but anyway, I'm thinking that you could potentially collect user information that access the server as it would log some authentication requests and object access logs in the event viewer, which may be able to execute a script by Group policy, provided that the GPO is configured properly... Ie, allowed to execute - authenticated users and the server's computer name also..
I'm going to be honest, its been 4-5 years since I last touched AD GPO's but I got something to work and you may need to fiddle with it and see if you could make it work.
the logon policy may need to be executed by the computer or by the user so place the script in both places.
the script should contain something easy like this
echo %username% , %hostname% , %date% >> \\networkserver\networksha
or
echo %username% >> C:\datacollection\groupmem
this (any one line) could be placed in a .bat file and used as a logon script. just ensure that the sharename allows read/write to everyone and or that the directories exist etc. :)
this should be able to narrow it down to a large group of users. (use excel to remove duplicate users and then you can easily add them into a security group.
another idea I've just sort of had, was if you schedule a task to run every 5 or so minutes for a few days to collect the user information, via the powershell thing you mentioned and perhaps also have it pipe the info to a file and continue to add to it till you're done, then you can use excel to sort, find/replace/ remove duplicates etc untill you have a usable list with just usernames.
What I would probably look into is something that checks the users that are currently accessing a specific share, like you can in computer management - shared folders - sessions (the dos command for that, would be good)
I dont know if it's "net session" because im currently not able to see any sessions on my machine (at home) so I'd suggest you check/try it also. other commands that could work is "nbtstat -S" - again, I cant tell you if it does/not, it may show computer names only and then you need to be able to link users/computers - see previous logon scrtipt :)
So a .bat file with
nbtstat -S >> file.txt
or
net session >> file.txt
and this scheduled for every few minutes in the task scheduler.. - but could also work with powershell like you mentioned, I'm not so comfortable with it yet... so if you go that route, good luck! :)
What I would probably look into is something that checks the users that are currently accessing a specific share, like you can in computer management - shared folders - sessions (the dos command for that, would be good)
I dont know if it's "net session" because im currently not able to see any sessions on my machine (at home) so I'd suggest you check/try it also. other commands that could work is "nbtstat -S" - again, I cant tell you if it does/not, it may show computer names only and then you need to be able to link users/computers - see previous logon scrtipt :)
So a .bat file with
nbtstat -S >> file.txt
or
net session >> file.txt
and this scheduled for every few minutes in the task scheduler.. - but could also work with powershell like you mentioned, I'm not so comfortable with it yet... so if you go that route, good luck! :)
oh, I just saw another message from you.
the quota thing - if you right click on the drive where the folders are mapped to, (the drive on the server/the drive which has the share on it). right click, properties, then select the quota tab.
if you enable it, it would basically only allow each user account a certain amount of space that they could use on the server, so in order to ensure that you dont break anything, you enable it and select - do not limit usage.
then if you click on quota entries, you will see everyone who's accessed the drive (even from the network)
select all, copy and paste into a new txt file, open in excel sort, search/replace/neaten up to a usable list and wala. you have usernames to enter into the ad group
the quota thing - if you right click on the drive where the folders are mapped to, (the drive on the server/the drive which has the share on it). right click, properties, then select the quota tab.
if you enable it, it would basically only allow each user account a certain amount of space that they could use on the server, so in order to ensure that you dont break anything, you enable it and select - do not limit usage.
then if you click on quota entries, you will see everyone who's accessed the drive (even from the network)
select all, copy and paste into a new txt file, open in excel sort, search/replace/neaten up to a usable list and wala. you have usernames to enter into the ad group
ASKER
thanks for the feedback
(1) Quotas, the problem with quotas is that it only list people that has saved data against their quota.. so Read access only wouldnt be reported.
Just for more info the autheniticated users had access to PII or PHI info, so thats a no no..
(2) nbtstat -S or net session reports all the sessions in a given time, but not the directory or path..
We found a file "openfiles" on the windows 2003 server that could potentially help... but need more assistance..
example -- openfiles /Query /FO csv /NH /V >> F:\OpenSessionsReport\open files.txt
(1) we need to manage size.
Is there a way to have another script pull openfiles.txt and import into a DB or Access or Excel.
(2) we need to import into excel, and automate the process of removing duplicates. I know we can sort /and/or filter. but is there a way to automate this.
(3) finally, while the openfiles shows read or read+write -- it doesnt show the group.. so if there was a way to pull that users groupmembership somehow to see if they got via authenticated users, and/or local users group..
Your help has been finanimal, (spelling) can you help get us to that last mile? : )
Or anyone?
(1) Quotas, the problem with quotas is that it only list people that has saved data against their quota.. so Read access only wouldnt be reported.
Just for more info the autheniticated users had access to PII or PHI info, so thats a no no..
(2) nbtstat -S or net session reports all the sessions in a given time, but not the directory or path..
We found a file "openfiles" on the windows 2003 server that could potentially help... but need more assistance..
example -- openfiles /Query /FO csv /NH /V >> F:\OpenSessionsReport\open
(1) we need to manage size.
Is there a way to have another script pull openfiles.txt and import into a DB or Access or Excel.
(2) we need to import into excel, and automate the process of removing duplicates. I know we can sort /and/or filter. but is there a way to automate this.
(3) finally, while the openfiles shows read or read+write -- it doesnt show the group.. so if there was a way to pull that users groupmembership somehow to see if they got via authenticated users, and/or local users group..
Your help has been finanimal, (spelling) can you help get us to that last mile? : )
Or anyone?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
any update on this?