kdsrazor
Posts: 231
Score: 10
Joined: 1/6/2006
Status: offline
|
Hello,
The difficult thing about generating this report, is that the information is not stored on the Trustee (the user or group being granted access), it is stored in the security descriptor of the object being accessed.
I'll make the example with file system object permissions just so it is a little less confusing. It is exactly the same method used for permissions of objects in Active Directory.
I cannot query a user or group in Active Directory and ask it, "What files and folders can you access on ServerA?" It does not know. The permissions are actually stored on the individual files and folders themselves. You need an application that will walk through the access control list of every file and folder on ServerA, index it all, and then generate a report by user/group.
You would need to do the same type of thing in Active Directory... something that will walk through the ACL of every object and index it.
I don't know of any scripts that do this, but DSRAZOR for Windows does this (for both file system and Active Directory). Once you run the report on the scope of objects you need to look through (perhaps all objects in an OU branch), then you can click on a user or group and discover everything they have access to. For each Access Control Entry (ACE), it will show you the permissions granted, how they apply to the object, and whether they were inherited or not.
If you would like a free one-on-one web presentation with an Engineer to show how this works you can contact us at: http://www.visualclick.com/?source=FORitforum
_____________________________
Ken Aldrich
Senior Support Engineer
Visual Click Software
512-231-9990 x 2
supportw@visualclick.com
|
Printable Version
AD Acls - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread