how to extract all permissions that a domain user have on the network

windows networking permissions active-directory user-permissions
16,137

Solution 1

I suggest you look into the Sysinternals tools (now part of Microsoft) in particular AccessChk and AccessEnum. I haven't used them myself, but they sound appropriate to your needs.

Solution 2

I believe there are no free tools for this... one commercial tool i know is Access Manager from Quest. http://www.quest.com/access-manager/

this is what they claim

Data Intelligence - Analyze who is accessing and using data and how often to help determine data retention policies for archiving and deleting unused data.

Access Insight - Produce intelligent reports for business owners to clearly show who is controlling and accessing the data, who the owner is, or to suggest potential owners to help initiate an attestation process for compliance.

Data Control - Secure access to data, files and shares so that sensitive information is accessed only by those with a business need.

Compliance Accountability - Assign ownership of all data to the appropriate business owners for accountability and compliance reporting.

Access Activity - Identify and monitor key data to track all access, including details such as who accessed the data and when, and retain the details in log form.

Solution 3

Apart from the obvious - that this is insanely expensive in a 1000+-server domain - you would need to script something that retrieves all machines from AD and then iterate over them with an administrator account that has the rights to view all permissions of all filesystem objects.

It's insane.

Solution 4

As @adaptr says this could be really expensive if not impossible. Unless... You have to make an organizational commitment to NEVER put a UserID directly into a ACL. Use Groups for everything. If you do that, then you simply make a list of the groups a person is a member of and what those groups grant access to.

In our environment we have three groups for every share Share_Read, Share_Write and Share_Admin. We never add a individual account to a share EXCEPT their Home share.

Share:
16,137
Alexandre Jobin
Author by

Alexandre Jobin

Updated on September 18, 2022

Comments

  • Alexandre Jobin
    Alexandre Jobin over 1 year

    I would like to know all the permissions a windows domain user have in my network. Is there a way, with a script file or a tool, that can extract this kind of information by checking all the servers and computers in my network? I'm on a Microsoft network with Windows Server 2008 R2, Windows XP, Windows 7.

    The report should include these kind of informations:

    • report all permissions that the domain user have (read, write, etc...)
    • if the domain user is in a domain group, tell me the permissions that this group have in my network

    so the report could be something like this:

    Permissions for USER_A in the DOMAIN.COM

    • the user is part of theses domain groups:
      • GROUP_A
      • GROUP_B
    • SERVER_A
      • W:\wwwRoot (R/W inherited from GROUP_A)
      • W:\sharedFolder (R)
    • SERVER_B
      • c:\projects (R/W)
      • c:\projects\project_a (R/W)
      • c:\projects\project_b (R/W)
      • c:\dumpfolder (R/W inherited from GROUP_B)
    • COMPUTER_A
      • LOCAL\Administrator
      • c:\ (R/W)
  • Mike
    Mike about 12 years
    Not to mention application rights. How would you ever look into applications that leverage your AD infrastructure? And don't forget SQL permissions if you have SQL servers.
  • Kcmamu
    Kcmamu about 12 years
    ...and registry, printers, etc.
  • Alexandre Jobin
    Alexandre Jobin about 12 years
    You are right when you say that a user should'nt have access directly to something but use a Group that have access. But i have to work with what i have in place and the other administrator have used some bad practices so i have to live with that. But how to know what a group have access to is the same thing as asking what the user have access to don't you think? Or maybe i'm wrong?
  • Alexandre Jobin
    Alexandre Jobin about 12 years
    it might be insane when you think about it but we have ~300 desktop computer with ~20 servers. Since that the older administrator used bad practices by giving access to users directly and not using groups, i need something to help me cleaning the network. I guest that the tool could have the option to include or exclude desktop computers or to put a list of IP that i want to scan.
  • uSlackr
    uSlackr about 12 years
    I appreciate you have to play the hand that was dealt. Our point is that trying to build a script to report access is almost impossible. If you take a methodical approach like I describe, then you only need to review group memberships to see who has access. Then, regularly dump ACls to ensure only groups are in them. No need to search across every ACL to see who has access to what.
  • Alexandre Jobin
    Alexandre Jobin about 12 years
    The AccessChk tool helped me to know what a user had on a server. It can not scan the full network but at least, it is very quick and give me enought information.
  • Alexandre Jobin
    Alexandre Jobin about 12 years
    i havent had a chance to test this product since that i've solved a part of my problem with AccessChk but it seems to be a great tool too. Thank you for sharing this!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I join a Windows Active Directory?
node Error: listen EACCES: permission denied ON ANY PORT [Windows]
Permissions required to manipulate Windows Services remotely on another Workgroup-linked computer
How to assign a static IP to a Computer in Active Directory
How to access files over a network using local accounts?
How do I grant local administrator rights, but not Domain Administrator Rights?
Active Directory roaming profile permission issue on folder C:\Users\<user>\AppData\Roaming\Microsoft\Installer
Does "User name may not be same as computer name" apply to active directory user names
What is a difference between a member of "Users" group and not a member of any group on Windows?
Adding another domain controller to a small 2008R2 network: steps I am missing(?)