Security Groups - Find What ACL's They Are A Member Of

Hello,

Does anyone know or can lead me to a good article on how to identify what ACL's a global security group is a member of? I am in the beginning phases of cleaning up groups and NTFS permissions.

Thanks in advance.

JL

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Sie

Have you looked under the member of tab within properties under Active Directory Users and Computers?

blargoe

Do you mean ACLs on AD objects, file server objects, rights on domain computers, or what?

royal

You can use the Sysinternals AccessChk utility to specify a user or group and it will go search what shares, services, registry keys, etc. that user or group has access to.

AccessChk:
http://www.microsoft.com/technet/sysinternals/FileAndDisk/AccessChk.mspx

sprkymrk

royal wrote:

You can use the Sysinternals AccessChk utility to specify a user or group and it will go search what shares, services, registry keys, etc. that user or group has access to.

AccessChk:
http://www.microsoft.com/technet/sysinternals/FileAndDisk/AccessChk.mspx

Nice royal, thanks.

JLL

To further clarify what I would like to accomplish, that is to identify ALL Active Directory objects that includes a specific user/group within their Access Control List.

The SysInternals AccessChk utility can accomplish this. However, it seems I would have to create a script/batch file to run on multiple servers to effectively get what I want. Don't mind doing that if it is the only free solution.

Does anyone know of a free utility that can possibly scan an entire forest or even a specific domain?

Thank you.

JLL