For a Windows domain, is there a way to see for a certain user or group, where the user/group has permissions?
Primarily: List which files / folders the user can access on a certain network share. (Kind of a recursive "effective permissions") However, other permissions would be cool as well.
I believe I've seen such a tool in action, but I can't remember anything beyond that - so this might be a false memory.
Recommendations?
4 Answers
Windows Sysinternals has a tool AccessEnum which states: "While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary." Good Luck!
The net user command might be what you are locking for. The syntax is as follows:
net user /domain [username] Sample Return:
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>net user /domain joneswac The request will be processed at a domain controller for domain MY.SCHOOL.EDU. User name joneswac Full Name Wesley P Jones Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 5/6/2013 3:51:33 PM Password expires Never Password changeable 5/6/2013 3:51:33 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory \\WONDERFULSCHOOL\students\joneswac Last logon 6/1/2013 3:31:50 PM Logon hours allowed All Local Group Memberships Global Group memberships *SOCIAL AND BEHAVIORAL*IT Boot Camp Admin *Students *Registered for Classe *Domain Users *90B SOC SCI TCH PLAN The command completed successfully. C:\Windows\system32> edit: removed typo character from command
1view all login user group (nested too):
DSQUERY USER -name %Username% | DSGET USER -memberof -expand | DSGET GROUP -sid -samid | more view all user group (nested too):
DSQUERY USER -name <user name> | DSGET USER -memberof -expand | DSGET GROUP -sid -samid | more view all memberof group (nested too):
DSQUERY GROUP -name "Nected Group Set of resources 1" | DSGET GROUP -memberof -expand | DSGET GROUP -sid -samid view all members group (nested too):
DSQUERY GROUP -name "Nected Group Set of resources 1" | DSGET GROUP -members -expand | DSGET GROUP -sid -samid view curent user permission, see too /Z /V ... /R options:
GPRESULT /USER %username% view curent user prop:
dsquery * -filter "(samAccountName=%username%)" -attr * 0You can use also ADSISearcher:
([ADSISearcher]"(&(ObjectCategory=User)(cn=Lastname, Firstname))").FindOne().properties This will return only the permissions of the user but in full list view