"Coelho" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Hi everyone,
>
> I work with Access Administration at a large company (more than 1,000
> servers) and sometimes we need to find out, by having a group name,
> all the folders which have this group contained in them.
Do you really mean, all directories which "allow
access to this group"?
There is no really convenient and foolproof method.
> Is there any way to do that? Only way I can think is running a DumpACL
> and then locating the groups needed, but it would be impossible to
> generate DumpACLs for more than a thousand servers everytime I needed
> to find out this...
Yes, that is correct. The reason is that ANY NTFS
file or directory, plus other objects like the registry
specific or inherited permissions, while file shares
and printer shares (non-hierarchical) can have
other explicit permission on ANY server.
And "server" may include peer shared resources on
individual worksations in some companies.
Not to mention that anyone can be listed as an individual
or if a member of a Global (or Universal) group may
be given permissions by a containing group which
includes the group where they are actually listed.
There are various assumptions you can make to simplify
the problem, but for complete information you would
have to search all of the possible places for the group
and for any group which contains that group (or in
Native+ mode: that contains THAT group etc.)
Can it be done? Yes.
Is it trivial? No.
With a 1000 servers you have some budget (likely)
so perhaps someone will offer a commercial suggestion,
or perhaps you have programmers who will write
something for you.
It isn't really a hard problem, just tedious.
|
Similar Threads
Linear Mode
