Define User Group Permission Access Matrix on Enterprise Domain Network in Excel

Lucky Tham
Lucky Tham used Ask the Experts™
on
Hi Anyone,

My boss want me to define all the users (about 20,000 domain member) which member of group (about few 1000 groups) we've in our enterprise domain to come with a accurate user domain permission matrix.

What should I do as I'm very new to the enterprise domain network and not very good in writing script like using powershell or never work in the enterprise network before.

What is the best suggestion for me in order to complete within 1 days as my boss requirement.

Anyone can help.

Tks.

Lucky
Access-Matrix-v2.xlsx
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Datacenter platform engineer Lindows
Commented:
Hi Lucky Tham,

IMHO this request is next to impossible. The AD consists of so many permissions you cannot store it simply in one report the boss could read. for 20K users ALL rights in a single xls file would grow into hundreds of megabytes.
Does he need to know who is allowed to VPN, RMD, Print on specific printers, have specific NTFS rights, mailbox delegates,where the inherit from a security group? etc etc

My best advise is to go back and simply tell him you cannot script enough in one day to customize anywhere from 25 to 50 reports but instead should buy some third party tools like https://www.manageengine.com/products/ad-manager/active_directory_user_reports.html

Cheers
Lucky ThamFreelancer

Author

Commented:
Hi,

Maybe someone can suggest and improve the script as follow rather then buying third-party software.

1. Run AD Module Powershell (Admin User Laptop)

2. Run script:

Function Test-ADGroupMemberInfra  {
                Param ($User)

                Trap {Return "error"}
                $output= $User
                $output+= " * "

                 if (Get-ADUser -Filter "memberOf -RecursiveMatch '$((Get-ADGroup "CorpSvcs_Infra_Group1").DistinguishedName)'" -SearchBase
                 $((Get-ADUser $User).DistinguishedName)) {$output+= "True "} Else {$output+= "False "}
                 ====add on with few few hundred group ===

                 $output

}

3. Run PowerShell to output and paste them from notepad to excel to format it to presentable view.

Test-ADGroupMemberInfra -User "_acssvc" >> c:\temp\group\New.txt
Test-ADGroupMemberInfra -User "_adcservice" >> c:\temp\group\New.txt
Test-ADGroupMemberInfra -User "_bkexadmin" >> c:\temp\group\New.txt
Test-ADGroupMemberInfra -User "_bsdadmgrsvc" >> c:\temp\group\New.txt
Test-ADGroupMemberInfra -User "_exservice" >> c:\temp\group\New.txt
Test-ADGroupMemberInfra -User "_foresctsvc" >> c:\temp\group\New.txt
===========need to add-on to 20,000 users to notepad and paste it to powershell and output it notepad then copy it to excel ====


I've already submitted my tasks to my boss at least to secure to my job first.

Ps advice if anyone can help to improve it.

Tks.

Lcuky
Lucky ThamFreelancer

Author

Commented:
Hi,

How to find nested groups permission based on group matrix using the above script and then uses groups command to retrieve the group owner created and group permission from ether with true or false?

Tks.

Lucky
Patrick BogersDatacenter platform engineer Lindows

Commented:
Answer given

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial