Author Posts

February 21, 2014 at 2:07 pm

HI! I was trying to think how to do this.
I inherited a large AD with secure groups
I was happy that they were creating Shares and then granting access to those shares by creating secure groups and giving the secure groups access to those shares.
the problem is no one documented what group went with what share

example: I have group FS_TXSales_Client_R so somewhere out there is a file share: \\server\TXSales\client that has given read access to FS_TXSales_Client_R group

in PowerShell is there a way to track from the group name what it's share focus is?

thank you John

February 21, 2014 at 5:33 pm

There's no central list that tells you what a group has been granted permissions to; you'd have to scan every securable object (file, folder, share, registry key, AD objects, etc) to find that out. Your naming convention probably makes it quite a bit easier to figure out what the group's intended use was, though that's no guarantee that people haven't used it in other places as well.

Check out the AccessEnum utility, for a start.

February 24, 2014 at 7:53 am

Maybe the NTFSsecurity module is useful:

https://ntfssecurity.codeplex.com/

February 24, 2014 at 10:27 am

In a Windows all permissions are held on the object rather than the group or user. This was a deliberate decision in the early days of Windows NT. At the time it was a differentiator from Novell and met the requirements of the US Government.