List of folders an Active Directory group has access to

By LabRaT ·
I have an Active Directory security group that I need to create a complete list of each folder that the group can access and what rights it has for each folder. Can I get such a list from the system or do I have to go folder by folder checking access?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

I need to know the answer to this too!

by tcleverley In reply to List of folders an Active ...

This is exactly the same question that I am posing and still struggling to find an answer. Can anyone help?

Collapse -

ditto for us

by muszyngr In reply to I need to know the answer ...

we would also like to know this, for all of you none TechRepublic members if you know of a solution or are reading this 10 years in the future and wanna know if we ever figured it out, here's my email

muszyngr @ yahoo dot com

Collapse -

It would be no small task..

by Brenton Keegan In reply to ditto for us

It would be no small task to build a system to handle this, but it could be done.

First thing I would do is limit the scope of what you want searched. First thing I would do is enumerate the folders on a drive or folder. This link describes how to enumerate files within a folder. It's likely this could be modified to enumerate folders:

Next thing you would want to do is gather information on the security descriptors of each folder found. If you wanted to have an input of a group you could then have it search the trustees of a given folder, looking for the specified trustee.
This explains more:

This explains how security descriptors work:

However you might want to gather all information on all trustees of all folders. In that case I'd dump the info into some kinda of database.

Collapse -


by Lepide In reply to List of folders an Active ...

Try doing it via vbscript.

1. Read out all Shares and there specified Groups and write data into dictionary object.
2. Read out all AD Groups and Compare them amongst access groups
3. write logfile with needed Info about AD Groups who are not assigned to any Share

Or completely change your naming concept to a more identifying convention like

Country is US, Location is Boston, Sharepath is corporate-it, AccessRight is Edit (read, write, delete)
-> maybe would be
US-BOS_Corporate-IT_ED ===>>> EDIT rights on Corporate-IT
US-BOS_Corporate-IT_RD ===>>> READ rights on Corporate-IT
US-BOS_Corporate-IT_LI ===>>> LIST rights on Corporate-IT to browse to a specific subfolder w/o being able to open other files.


Related Discussions

Related Forums