list all permission of all users and group membership in a domain

Question

_{Wednesday, March 16, 2016 12:03 PM}

We have a W2K82 domain. About 100 member servers and 500 users.

I've search for a tool/script to list all permissions of all users and group membership in a domain. Found a few tools, but most of them you have to run per server or per user.

I saw some commercial tools, stealthbits, Varonis. But these tools are to expensive for a one time listing of user permissions and groups. We mostly used groups, but we did put some UsersID's directly into the ACL over the years. Yeah..I know.. Not best practise. Now we probably have to buy one of those expensive commercial tools.

Some advice on helpfull tools would be appreciated. We wouldn't mind a commercial tool, but not to expensive, because we probably will use it once or twice.

Thanks

All replies (5)

_{Tuesday, March 22, 2016 1:41 AM ✅Answered}

Hi Biga_b,

Here are two PowerShell script below may be helpful to you.

Lists all the shared folder permissions or NTFS permissions (PowerShell)

https://gallery.technet.microsoft.com/scriptcenter/Lists-all-the-shared-5ebb395a

Get-Share Permissions

https://gallery.technet.microsoft.com/scriptcenter/List-Share-Permissions-83f8c419

In additional, there is a VB script below for your reference.

List Folder Permissions

https://gallery.technet.microsoft.com/scriptcenter/a7f4694d-c71b-4b47-a781-4c4f832e87d7

Best Regards,

Jay

Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Wednesday, March 16, 2016 3:00 PM}

Hi Biga_b,

I have no idea about permission tools.

But here is a thread about script out all users permissions for a database may be helpful to you.

https://social.technet.microsoft.com/Forums/sqlserver/en-US/a33bed72-764e-4422-a767-5aa114aa3f8c/script-to-script-out-all-user-permissions-for-a-database

There are a planty of script from below link.

https://gallery.technet.microsoft.com/scriptcenter/

Best Regards,

Jay

Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, March 21, 2016 5:22 AM}

Hi,

Are there any updates?

Best Regards,

Jay

Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, March 21, 2016 5:39 AM}

Hi,

https://www.petri.com/list_all_users_and_groups_in_domain

NTRao

_{Monday, March 21, 2016 10:27 PM}

Lets  narrow this down.. i want to list all the user accounts that have been granted permission based on a server/shares/folders and all subfolders.

Found those scripts:

dir c:\folder -Recurse | ForEach-Object {
    # Try/catch here would let you save the path to files/folders that you can't view...
    $_ | Get-Acl | select @{N="Path"; E={Convert-Path $_.Path}} -ExpandProperty Access
} | Export-CSV StibbeGroups.csv -NoTypeInformation -Encoding UTF8

But i want to exclude builtin/system accounts in the csv file. 

get-childitem \\fileshare\folder -recurse | get-acl  | select-object path,owner,accesstostring,group | export-csv “C:\security.csv”

This script excludes the builtin/system accounts, but does not have the inherited object. 

Also both script don't scan the root/network share folder permissions.

This script should work scanning share permissions, but my output is empty:

function Get-SharedPermissions{
 $Shares = Get-WmiObject -Class Win32_Share -ComputerName $Computer | select -ExpandProperty Name

foreach ($Share in $Shares){
 $ACL = $Null
 Write-Host $Share -ForegroundColor Green
 Write-Host $('-' * $Share.Length) -ForegroundColor Green
 $objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$Share'" -ComputerName $Computer
 Try{
 $SD = $objShareSec.GetSecurityDescriptor().Descriptor
 foreach($ACE in $SD.DACL){
 $UserName = $ACE.Trustee.Name
 if ($ACE.Trustee.Domain -ne $Null) {$UserName = "$($ACE.Trustee.Domain)\$UserName"}
 if ($ACE.Trustee.Name -eq $Null) {$UserName = $ACE.Trustee.SIDString }
 [Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ACE.AccessMask, $ACE.AceType)
 }
 }
 Catch{
 Write-Host "Unable to obtain permissions for $Share"
 }
 $ACL | select IdentityReference,IsInherited,FileSystemRights
 Write-Host $('=' * 50)
 }
 }

Not having powershell skills, this is driving me nuts. A combination of these scripts would be ideal. 

Thanks