How to find where a security group is applied?

ladiesman217

Hi everyone, I've been searching for a way to find where a security group is applied but still I can't find any. Please don't point softwares out there since I am not allowed to use what I want due to security compliance.

Is there a command to show where a security group is applied? or maybe a one liner powershell script. Thanks in advance.

jibbajabba

ladiesman217 wrote: »

Hi everyone, I've been searching for a way to find where a security group is applied but still I can't find any. Please don't point softwares out there since I am not allowed to use what I want due to security compliance.

Is there a command to show where a security group is applied? or maybe a one liner powershell script. Thanks in advance.

Windows / *nix ?

ptilsen

jibbajabba wrote: »

Windows / *nix ?

He mentions Powershell, so Windows.

ladiesman217 wrote:

Is there a command to show where a security group is applied?

It's not clear what you're asking. A security group is a collection of other objects, and is not "applied" anywhere. Are you asking for a way to see what GPOs are applying to a security group? Or where to find a security group? Or what the purpose of a security group is?

cyberguypr

It sounds like the OP wants to know which folders have permissions applied using a specific security group. Maybe a cleanup? If that is the case and installing software is not an option, he could try ACL **** via Powershell. I've used a variant of this with very good results: Make it Simple: PowerShell script for dumping access control lists (ACL)

jibbajabba

ptilsen wrote: »

He mentions Powershell, so Windows.

*facepalm*

ladiesman217

Thanks for the replies, and yes Cyberguy, we're doing a cleanup and and what I want to accomplish is to find where a security group is being used ( ex. folder path). We cannot just delete security groups based on it's last modification date for some reasons. I've already look at the link you provided but it seems the script is for getting acl of a directory. Do you know a way to reverse this script and query where a security is being used? thanks in advance.

RobertKaucher

ladiesman217 wrote: »

Thanks for the replies, and yes Cyberguy, we're doing a cleanup and and what I want to accomplish is to find where a security group is being used ( ex. folder path). We cannot just delete security groups based on it's last modification date for some reasons. I've already look at the link you provided but it seems the script is for getting acl of a directory. Do you know a way to reverse this script and query where a security is being used? thanks in advance.

If I understand what you are asking for this is impossible because ACLS are pointers to groups/accounts not linked lists. This means that information is encoded on the resource about who may access it - there is not a master list of all the resources a group has permission to access or your security token would be GBs in size on a large network and it would take you an hour just to sign in.

ladiesman217

RobertKaucher wrote: »

If I understand what you are asking for this is impossible because ACLS are pointers to groups/accounts not linked lists. This means that information is encoded on the resource about who may access it - there is not a master list of all the resources a group has permission to access or your security token would be GBs in size on a large network and it would take you an hour just to sign in.

Pardon for the confusion To make the clear, I''ve been given a list of security groups for deletion, This request was requested by non IT people and they do not know where and what folders these are being used. We tried to delete some of the security groups and a day after we received complains from lots of users that they can no longer access some folders. Just to be sure this won't happen again, I am thinking if there is a way to find in what folder does a security groups is being used or applied (if that is the correct term). So do you mean there is no methods or properties to query the security group using powershell? I am thinking if it's possible to create a reverse "get-acl"? I don't think this is impossible because a few months ago we are using a webtool to get where a security group is applied. Unfortunately the developer who created that tool already resigned. Im just really puzzled how to get this done. Anyway Thanks for the reply Robert.

afcyung

I think what would make this request easier for you to process would be to tell the Information owners to validate the security groups that have permissions to their files, instead of just deleting security groups that could have permissions across multiple departments. I would call the requester back and see what files specifically they want the permissions modified to, instead of just deleting random security groups.

ptilsen

You could accomplish this with powershell, but it would be difficult to run it against every folder out there. If you're just talking about a limited set of file servers. Cyberguypr's link should get you in the right direction.

blargoe

There really isn't a way to do a reverse "get-acl" and just magically get everyone on the network to which a security group was added to an ACL. The resource is the owner of that ACL and that information would never be stored in a central location like AD.

IF you narrow the scope of your search down to, say, searching all ACLs within a specific share on a file server, you could probably use a script that uses get-acl, and pass the share name and the DOMAIN\GroupName as parameters, and then re-run the script, replacing the groupname with each of the groups you were given. I haven't looked at the link that was provided, but if you could find a way to modify that script in the way I suggested, you would have as output every folder to which that group is applied.

buzzkill

ladiesman217 wrote: »

This request was requested by non IT people and they do not know where and what folders these are being used. We tried to delete some of the security groups and a day after we received complains from lots of users that they can no longer access some folders. Just to be sure this won't happen again,

Classic example for why non-IT people need to get their noses out of other peoples business and concentrate on their own affairs. Chances are if they are meddling in things like this they have no proper work to be doing themselves and are really just a waste of a salary.

/getsoffhighhorse

afcyung

[QUOTE=buzzkill;[URL="tel:591261"]591261[/URL]]Classic example for why non-IT people need to get their noses out of other peoples business and concentrate on their own affairs. Chances are if they are meddling in things like this they have no proper work to be doing themselves and are really just a waste of a salary.

/getsoffhighhorse[/QUOTE]

This is rather obtuse way to look at it. Do you think the IT department should be responsible for determining permissions for everyone? I think what happened was that when the ticket got put into the service desk they didn't do a good job actually deciphering the request into a workable task.