Need to find permissions on user across all systems.

13/09/2007, 17h26

I have a question for the group. I am looking to figure out how to
find what permissions a user has on all systems in a domain without
knowing what systems they have access to. Is there a LDAP/ldif query
(or tool) that I can use to find out what access (either specific
permissions and how I inherited them or what groups give me access to
those systems) I have on all of the servers in my domain? I have come
across this issue as there are many servers in my org that use nested
groups and I want to find out what access I have across the domain.

21/09/2007, 04h07

"pand0ra.usa" <pand0ra.usa@gmail.com> wrote in message
news:1189700767.040477.14250@g4g2000hsf.googlegrou ps.com...
>I have a question for the group. I am looking to figure out how to
> find what permissions a user has on all systems in a domain without
> knowing what systems they have access to. Is there a LDAP/ldif query
> (or tool) that I can use to find out what access (either specific
> permissions and how I inherited them or what groups give me access to
> those systems) I have on all of the servers in my domain? I have come
> across this issue as there are many servers in my org that use nested
> groups and I want to find out what access I have across the domain.

This can be a tricky problem, as the permissions are not attributes of the
trustee as listed in AD, but of the resources being permitted, for example,
NTFS volumes, printer shares, and exchange mailboxes. The one exception to
this is access permissions to AD itself.

If you are limiting yourself to NTFS volumes, you would need to interrogate
all systems for all available NTFS volumes, and then walk the directory tree
looking for every folder and file to which the user in question had any
access, whether specified directly or through membership in a security
group. It gets complicated and the report voluminous.

There are surprises too. For example, if your script determined that if user
A had access to folder B due to membership in group C, removing the account
from this group might not necessarily remove that access, as A could be a
member of group D, which also has access to B. Therefore you would need to
note each such relationship.

If you wish to run the script from the account you are inquiring about, you
will need to enumerate all shares, hidden and otherwise, as these may point
to folders hidden within folders you do not have access to.

Your best approach will likely depend on the underlying purpose. Whenever I
have had to do something similar it was because I needed to analyze the
permission structure in order to normalize access by, for example, removing
explicit permissions on a per user basis. I mainly used CACLS and examined
the output with an editor and/or filter.

/Al

13/09/2007, 17h26	#1
pand0ra.usa Messages: n/a Hébergeur:	Need to find permissions on user across all systems. I have a question for the group. I am looking to figure out how to find what permissions a user has on all systems in a domain without knowing what systems they have access to. Is there a LDAP/ldif query (or tool) that I can use to find out what access (either specific permissions and how I inherited them or what groups give me access to those systems) I have on all of the servers in my domain? I have come across this issue as there are many servers in my org that use nested groups and I want to find out what access I have across the domain.

21/09/2007, 04h07	#2
Al Dunbar Messages: n/a Hébergeur:	Re: Need to find permissions on user across all systems. "pand0ra.usa" <pand0ra.usa@gmail.com> wrote in message news:1189700767.040477.14250@g4g2000hsf.googlegrou ps.com... >I have a question for the group. I am looking to figure out how to > find what permissions a user has on all systems in a domain without > knowing what systems they have access to. Is there a LDAP/ldif query > (or tool) that I can use to find out what access (either specific > permissions and how I inherited them or what groups give me access to > those systems) I have on all of the servers in my domain? I have come > across this issue as there are many servers in my org that use nested > groups and I want to find out what access I have across the domain. This can be a tricky problem, as the permissions are not attributes of the trustee as listed in AD, but of the resources being permitted, for example, NTFS volumes, printer shares, and exchange mailboxes. The one exception to this is access permissions to AD itself. If you are limiting yourself to NTFS volumes, you would need to interrogate all systems for all available NTFS volumes, and then walk the directory tree looking for every folder and file to which the user in question had any access, whether specified directly or through membership in a security group. It gets complicated and the report voluminous. There are surprises too. For example, if your script determined that if user A had access to folder B due to membership in group C, removing the account from this group might not necessarily remove that access, as A could be a member of group D, which also has access to B. Therefore you would need to note each such relationship. If you wish to run the script from the account you are inquiring about, you will need to enumerate all shares, hidden and otherwise, as these may point to folders hidden within folders you do not have access to. Your best approach will likely depend on the underlying purpose. Whenever I have had to do something similar it was because I needed to analyze the permission structure in order to normalize access by, for example, removing explicit permissions on a per user basis. I mainly used CACLS and examined the output with an editor and/or filter. /Al

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email