Security Groups - Find What ACL's They Are A Member Of

JLLJLL Inactive Imported Users Posts: 74 ■■□□□□□□□□
Hello,

Does anyone know or can lead me to a good article on how to identify what ACL's a global security group is a member of? I am in the beginning phases of cleaning up groups and NTFS permissions.

Thanks in advance.

JL

Comments

  • SieSie Member Posts: 1,195
    Have you looked under the member of tab within properties under Active Directory Users and Computers?
    Foolproof systems don't take into account the ingenuity of fools
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Do you mean ACLs on AD objects, file server objects, rights on domain computers, or what?
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    You can use the Sysinternals AccessChk utility to specify a user or group and it will go search what shares, services, registry keys, etc. that user or group has access to.

    AccessChk:
    http://www.microsoft.com/technet/sysinternals/FileAndDisk/AccessChk.mspx
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    royal wrote:
    You can use the Sysinternals AccessChk utility to specify a user or group and it will go search what shares, services, registry keys, etc. that user or group has access to.

    AccessChk:
    http://www.microsoft.com/technet/sysinternals/FileAndDisk/AccessChk.mspx

    Nice royal, thanks. icon_cool.gif
    All things are possible, only believe.
  • JLLJLL Inactive Imported Users Posts: 74 ■■□□□□□□□□
    To further clarify what I would like to accomplish, that is to identify ALL Active Directory objects that includes a specific user/group within their Access Control List.

    The SysInternals AccessChk utility can accomplish this. However, it seems I would have to create a script/batch file to run on multiple servers to effectively get what I want. Don't mind doing that if it is the only free solution.

    Does anyone know of a free utility that can possibly scan an entire forest or even a specific domain?

    Thank you.

    JLL
Sign In or Register to comment.