Find all permissions associated with a local group
AccessChk from SysInternals claims to produce the list of privileges a given user or group is granted. http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
After more thought, I decided that by modifying the audit policy on the machine, you can cause log entries to be created when a process is used. in GPEDIT.MSC (or the AD equivalent), Computer Config -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy. Start by enabling audit of both Success/Failure of Object Access (for files/folders etc), Directory Access, Privilege Use, and Process Tracking. Or perhaps just check DENY to more quickly show you what's missing.
Related videos on Youtube
Joel Coehoorn
Updated on September 17, 2022Comments
-
Joel Coehoorn over 1 year
I'm migrating a Windows machine to some new hardware. I have the new machine built and everything installed, but there's one thing that's not working. I've narrowed it down to a local security group on the old machine that doesn't exist on the new machine. I can create the group, of course, but I need to know what permissions to associate with the group.
So how can I get a list out of Windows XP Pro of every permission associated with a particular group?
A little more detail:
This machine is a member of a domain, but it has a specific purpose — running an application used by our library's circulation desk. There's a service that runs as a specific user, and individual users log in to the machine (work study students and library administrators). I have created the group and added the appropriate accounts, and I can make the application work if I then make the group itself a member of the local administrators group. However, that's not a real solution for our work study accounts. I need to recreate the security used by the prior machine.