Need help with Windows permissions

I have an issue where there are multiple groups that have access to a folder, unfortunately authenicated users also have access
The problem is we dont want authenticated users to have access and only the groups assigned.
How can we find out which user ius accessing the folder/files and what access permissions they have, as we need to create a dept group

We need to know who accessed or who can access the share and find out if they accessed via the authicated group..
or via the assigned group..

Is there a powershell script to take every user via ADS, and query the folder and find out if they got access via the authenicated users group.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try AccessEnum by Microsoft. You can even export the results.
IndyrbAuthor Commented:
problem is 2003... what options do I have with auditing and we have 1000s of users with limited space...
my suggestion would be to remove inherritance on the folder's permission, then select to copy the permission, then remove the authenticated users group from the security properties. and you would have the desired result?

Another option could to be to enable quotas on the drive, but allow everyone a sort of unlimited amount for their quota, and then see how that list populates, it may include irrelevant users if those access other folders only, but would give you a list of users whom should definitely be considered..

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Can you clarify? Once you find out who accessed as an authenticated user, what does this do for you? Won't you move the users to a certain group anyway? Assuming you remove authenticated user rights, and move the users to their group, when the user next logs on, all will be fine.
IndyrbAuthor Commented:
so there are thousands of users.. dome need access and some dont.. we need to find out who accessed the share via the authenticated users group do we can decide access...  only those that wrote or read from the share in x amount of days, as thousand of users are easily within forest...  problem is we can't remove authenticated users as legit people are broke.. too many to go one by ond. help desk calls crazy.. so can you explain quota.. or possibly getting list of users that read and write on share. their total permissions and group they belong to. cuz if authenticated user group is how they got in we can go through that list add to new group then remove authenticated user group afterwards.. doing it now breaks too many unknown users
IndyrbAuthor Commented:
No not all users will be moved..
IndyrbAuthor Commented:
there are 1000000s of users in ads which can access since they belong to authenticated users we need to get those that wrote, read or browsed the shared and traverse their group membership
you said you didnt want authenticated users (the group) to have access, and sorry, I thought you had a group of users already that you could apply as having read/write etc access..

I also missed the point about having to generate a group from it.

I've had various thoughts on this, and somehow got sidetracked when I mentioned the above by what someone else posted, but anyway, back on track then as I initially wanted to respond with..

I'm going suggest that you try it, but I dont know if it would work, however something may say, that it should...

I've previously created a group policy that on a user's logon, it would execute a script which would collect the users ad logon account name and match it to the server where they logged onto...

It was more in an attempt to merge users and computers (for auditing purposes)

but anyway, I'm thinking that you could potentially collect user information that access the server as it would log some authentication requests and object access logs in the event viewer, which may be able to execute a script by Group policy, provided that the GPO is configured properly... Ie, allowed to execute - authenticated users and the server's computer name also..

I'm going to be honest, its been 4-5 years since I last touched AD GPO's but I got something to work and you may need to fiddle with it and see if you could make it work.

the logon policy may need to be executed by the computer or by the user so place the script in both places.

the script should contain something easy like this

echo %username% , %hostname% , %date% >> \\networkserver\networkshare\datacollectionforgroup.txt


echo %username% >> C:\datacollection\groupmembers.txt

this (any one line)  could be placed in a .bat file and used as a logon script. just ensure that the sharename allows read/write to everyone and or that the directories exist etc. :)

this should be able to narrow it down to a large group of users. (use excel to remove duplicate users and then you can easily add them into a security group.
another idea I've just sort of had, was if you schedule a task to run every 5 or so minutes for a few days to collect the user information, via the powershell thing you mentioned and perhaps also have it pipe the info to a file and continue to add to it till you're done, then you can use excel to sort, find/replace/ remove duplicates etc untill you have a usable list with just usernames.

What I would probably look into is something that checks the users that are currently accessing a specific share, like you can in computer management - shared folders - sessions (the dos command for that, would be good)

I dont know if it's "net session" because im currently not able to see any sessions on my machine (at home) so I'd suggest you check/try it also. other commands that could work is "nbtstat -S" - again, I cant tell you if it does/not, it may show computer names only and then you need to be able to link users/computers - see previous logon scrtipt :)

So a .bat file with
nbtstat -S >> file.txt

net session >> file.txt

and this scheduled for every few minutes in the task scheduler.. - but could also work with powershell like you mentioned, I'm not so comfortable with it yet... so if you go that route, good luck! :)
oh, I just saw another message from you.

the quota thing - if you right click on the drive where the folders are mapped to, (the drive on the server/the drive which has the share on it). right click, properties, then select the quota tab.

if you enable it, it would basically only allow each user account a certain amount of space that they could use on the server, so in order to ensure that you dont break anything, you enable it and select - do not limit usage.

then if you click on quota entries, you will see everyone who's accessed the drive (even from the network)

select all, copy and paste into a new txt file, open in excel sort, search/replace/neaten up to a usable list and wala. you have usernames to enter into the ad group
IndyrbAuthor Commented:
thanks for the feedback

(1) Quotas, the problem with quotas is that it only list people that has saved data against their quota.. so Read access only wouldnt be reported.

Just for more info the autheniticated users had access to PII or PHI info, so thats a no no..

(2) nbtstat -S or net session reports all the sessions in a given time, but not the directory or path..

We found a file "openfiles" on the windows 2003 server that could potentially help... but need more assistance..

example -- openfiles /Query /FO csv /NH /V >> F:\OpenSessionsReport\openfiles.txt

(1) we need to manage size.
      Is there a way to have another script pull openfiles.txt and import into a DB or Access or Excel.

(2) we need to import into excel, and automate the process of removing duplicates. I know we can sort /and/or filter. but is there a way to automate this.

(3) finally, while the openfiles shows read or read+write -- it doesnt show the group.. so if there was a way to pull that users groupmembership somehow to see if they got via authenticated users, and/or local users group..

Your help has been finanimal, (spelling) can you help get us to that last mile? : )
Or anyone?
hi there, cool, good to hear that you found another option! a new thing for me to maybe use again in future.

on no 1. to be honest, I've collected daily logon and logoff information (user and computer mapping with date time and logon server data for +- 20 000 users over a week and I think the text file was something like 20-40 MB or so. So I'd not be worried about the size at all. just check it each day, or so, if it grows too much, cut it from the folder and it will re-create a new file with the next entry, and then just copy the text from there into an excel file, and then save it, and repeat again tomorrow/a few days later untill you feel comfortable with the list. (obviously you will have a few HD calls once you restrict the access, but that will happen no matter how much you try to avoid it, however I'd aim to have no more than 2-3 a day for a few days.. and for that, you probably need to collect data for a week or two.

for 2,
there is a way.. but I'm not good at it.. you can do it by creating and using a macro. - my understanding is that you want to do this for one folder/server/drive/not hundreds of folders, and personally think that creating/spending time to figure out the macro thing, would be 100x more than to do it manually once.. - I would seriously even do it for you, if you gave me the file...  It should be really easy. just remember that search and replace is very useful in these situations.. ie, if you have tailing bunch of information that you want to get rid of and the section just after the part you need is consistently the same, ie,   "blaahdy servername (space space tab) blaahdy fish paste" and say "space space tab bla..." is repeated on each line, then you can search and replace "space space tab*" with "nothing" and it will clear all of the trailing ends after servername.. or username or what ever it is that you are attempting to set asside.

remember that usernames cannot have spaces, so you know for sure, you can use Space as a delimited value to split into columns in excel. also if the username is always 20 chrs from the left of the text document, you can do a text to columns and select to split the columns there and before the next value..  -Im not sure how well you know excel, but there are many tricks that you can use to manipulate the data.. also something like Ulead text editor could be very handy.. it can cut out a column from a plain text document, so that chrs 4-9 for example in each row is cut out of the document and you can paste it into a new text doc. - if you have a few lines as an example, paste it here and I'll give you some guidance on the cleanup. (sort the data so that the same format is at the top/bottom, cut that into a new worksheet, then start doing text to columns etc..)

on the last point, no 3.
I am not sure why you would want to know this, but let me not make that call on your behalf, I'd say it's irrelevant, as I dont see the purpose of it, but, I'm assuming it's valid for some reason.. (My thought was that you wanted to be able to add the users to a group, more than get from which group they got access.) - but anyway,

you mention local group, ie, from the server's local group? - in users/computers on the server, the lists there.. use the display name you see there, go to cmd. - execute the command "Net Localgroup Administrators" or what ever the group names are that you have there, which you think/know has many users in it. then >> it to a file.
copy the usernames from that, into another worksheet where you have the already collected usernames from no 2 above. then run a vlookup of the data you collected from the group output and match it up with data in the other list. so say sheet 1 column A has all the collected data from no 2 above. and sheet2 has all the localgroup users, then I'd add a value like "yes/no/what ever" into columb b of sheet 2. then in sheet 1, column b, say b1, type

it will then lookup the value in sheet 1, cell A1, and look for a matching value in sheet 2, column A, and then return value from column B ie, if found in Column A, row 33, then it would place value from b33 into sheet1, b1. (where you typed the formula). you can also make it =vlookup(A1,sheet2!A:B,1,false without having anything in column B of sheet 2, and it would duplicate the name in columb b of sheet1, where found, where not found, it will display #N/A - but then you need to immediatly select all (Ctrl + A) and right click, (paste - values) so that you dont lose the info. repeat as required for other groups etc..

if you want to know if the user gained access through "authenticated users" then it would be what ever was not part of the groups.

I'm going to lean towards you maybe having meant domain local group or so... in which case, you can do an csvde export of the domain, however you can specify the attributes which would reduce the export greatly and give you what you want more than anything.

for that, you can run csvde of ldifde.. it should look something like this... from cmd, type
csvde -r "(Objectclass=group)" -l members -f domainexport.csv
csvde -r "(Objectclass=groups)" -l member or members -f domainexport.csv
csvde -r "(Objectclass=group*)" -l member,members,dn,cn,samaccountname -f domainexport.csv

you can check csvde /? for some hints. I'm at home again, so not able to test it, but if you need help, let me know.

you can use another switch, like -d and then use the DN of the actual group (location and name looking like, CN=groupname,CN=OUNAME,CN=OUNAME2,DC=SUBDOMAIN,DC=LARGECORP,DC=COM

so this would only export this group's member and then you have  single list to look at, then you can do the same as before, compare the values and determinee which users are in the group and the delta is not.

To add the users, you can add the users multiple times, it would  just say already in the group for each one that already exists there.
(you may want to create a completely new group and dump them all in there and assign the permissions to it, else you may need to hold down the enter key when it pops up with the notification to say the user already exists :)

I hope this helps you on your way to getting the results you want.. :) else I'll be here,.. shout :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
any update on this?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.