Windows – How to discover what permissions an AD group has, if you have no documentation

active-directorygroupswindows

You just got hired at company A and the old administrator is no longer there. Requests start coming through for adding users to the internet restrict group. When you look at the groups none of the names make sense and there is no documentation out there to explain what each group has rights to and what it does. That would raise concern to me. For security how do you know if everyone has the correct rights.

How would you discover what the groups have rights to? Is there a tool out there that will find this information for you?

Best Answer

You don't. There's so many things, you essentially can't do it unless you already know the entire environment anyway. See : How can I check access of a Group/User in AD before I delete it?

Look at Ben Pilbrow's answer for a partial list of the things that an entity in AD can be given rights to. If you know every application in your environment that can have an AD entity get an ACL assigned to it, then you can query each of them for every ACL.

Related Solutions

Windows – How to find what process is holding a file open in Windows

I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"

What group does a package belong to

How about rpm -qi?

user@linux [~]# rpm -qi rpm
Name        : rpm                          Relocations: (not relocatable)
...
Group       : System Environment/Base       ...
....

Works for me.

Okay, I'm bored, here are some other options:

user@linux [~]# rpm -q --qf '%{GROUP}\n' rpm
System Environment/Base

For bonus points:

user@linux [~]# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}: %{GROUP}\n' rpm
rpm-4.3.3-33_nonptl.el4_8.1.i386: System Environment/Base

(Yeah, it's an old EL4 virtual box. It's what I had handy, so sue me.)

And now for the whole shebang:

user@linux [~]# rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}: %{GROUP}\n'
redhat-logos-1.1.26-1.centos4.4.noarch: System Environment/Base
basesystem-8.0-4.noarch: System Environment/Base
libcap-1.10-20.i386: System Environment/Libraries
gmp-4.1.4-3.i386: System Environment/Libraries
keyutils-1.0-2.i386: System Environment/Base
psmisc-21.4-4.1.i386: Applications/System
zlib-1.2.1.2-1.2.i386: System Environment/Libraries
pyxf86config-0.3.19-1.i386: System Environment/Libraries
passwd-0.68-10.1.i386: System Environment/Base
...

etc.

Best Answer

Related Solutions

Windows – How to find what process is holding a file open in Windows

What group does a package belong to

Related Topic