Click here to get back home

Checking group security
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Checking group security tman 10-05-2007
Posted by tman on October 5, 2007, 10:31 am
Please log in for more thread options
 Our A/D domain is now littered with old security groups, that still have
members, but we don't know if the groups are actually still being used
anywhere on the network folders.

Is there a way to recursively check through folders (probably from the
command line) to see if a specific security group has permissions assigned
to any of the folders? I've looked through the resource kit tools, and the
only app that *seems* like it might do the trick is subinacl, but I can tell
from the command help whether it's actually possible?

Anyone got any ideas? If subinacl can do the job, a syntax example would be
most welcome.




Posted by JeffB on October 5, 2007, 1:43 pm
Please log in for more thread options
> Is there a way to recursively check through folders (probably from the
> command line) to see if a specific security group has permissions assigned
> to any of the folders?

If quick-and-dirty is OK, this PowerShell one-liner would do the trick.
Change directory to wherever you need to be, and then:

get-childitem -recurse | get-acl | foreach-object { if
($_.AccessToString.Contains("DOMAIN\group "))
{"------------------", $_.Path, $_.AccessToString |format-list } }

The space after the group name is important, in case the group name is a
prefix of any other group name. Try first specifying a group that you
*know* is being used. The "Contains" method is case-sensitive, so be careful
to get the case right.









Posted by tman on October 10, 2007, 6:31 am
Please log in for more thread options
Thanks a lot. That seems to do the trick.


> Our A/D domain is now littered with old security groups, that still have
> members, but we don't know if the groups are actually still being used
> anywhere on the network folders.
>
> Is there a way to recursively check through folders (probably from the
> command line) to see if a specific security group has permissions assigned
> to any of the folders? I've looked through the resource kit tools, and the
> only app that *seems* like it might do the trick is subinacl, but I can
> tell from the command help whether it's actually possible?
>
> Anyone got any ideas? If subinacl can do the job, a syntax example would
> be most welcome.
>
>
>


Similar ThreadsPosted
bypass traverse checking August 9, 2005, 3:35 pm
Different IIS 5 & IIS 6 behavior on checking clients' certificates September 5, 2005, 11:55 pm
IIS 6 behavior on checking clients' certificates (again) September 16, 2005, 4:47 am
IIS 6 behavior on checking clients' certificates (again 2) September 29, 2005, 12:40 am
"Self" security group - exposed? May 20, 2008, 4:07 pm
LDAP lookup based on a Security group? May 23, 2008, 10:42 am
Create User and Auto Assign to Domain Security Group January 31, 2007, 12:27 pm
info on the National Information Security Group (NAISG) + an invitation February 4, 2008, 9:34 pm
local group / global group permissions problem August 18, 2005, 12:42 pm
Unexpected security restriction for a user in both a user and administrative group. April 24, 2008, 10:05 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap