General discussion

Locked

What has my Group been Assigned too

By Jesse.Schmidt01 ·
Does anyone know of a way to find out where a User or Group has been assigned?

Its easy to know what Groups a user is a member of but what about where there groups have been assigned.

Example:
You have a group called SecAccesLevel1 and you want to discover every Computer/Resource/Item that Group has been assigned too.

Just clicking around you find that there is a subfolder under a Share that the Group has been assigned access too. The Root folder had given the Group ?List Folder Contents? but the sub folder has given them Full access to that sub.

So just to reiterate the question, other then stumbling onto this groups assignment to this folder how would you have know that they had access.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

When a group is given rights to a folder

by neilb@uk In reply to What has my Group been As ...

it is added to the Access control List of that folder and all subfolders that inherit the rights. The only way that I've found to do to my own satisfaction it is to recursively scan the tree and pull out the ACLs to match up the group. I use vbscript but you can also use some of the Command Line tools. I've use SETACL but that's just because I like it. There are others.

You'll get it at http://setacl.sourceforge.net/ and in the docs they have an example of the command line to dump out all of the ACL for a share.

It may well produce a LOT of data for you to wade through so reckon on greping the output!

Collapse -

Follow Up

by Jesse.Schmidt01 In reply to When a group is given rig ...

Thanks for the input, I looked into SETACL but I don?t think this utility is going to work for me. Also doesn?t the Subinacl.exe command works about the same way?

In the end I gave up on my search for the Uber utility that would magically show me every where that a user had been added to a Resource, Group, Folder, Printer ect. And instead went for the reverse approach, going from the resource back to the user.

Using Showacls.exe I can go to each server and run a command against a share and get a Text file showing me all the users and groups that have access to that share and what access they have.

Eg:
Showacls.exe /s \\<serverName>\Share >c:\ShareAccess.txt

The down side to this is that I have around 50 servers that I need to run this on to do my complete audit.

Back to IT Employment Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums