-
November 16th, 2005, 02:11 AM
#1
Tool for outputing ACLs to the individual user level?
Hi Everyone,
Client areas at work are after a tool that will allow them to:
1) Output the ACLs for a user specified drive/share/directory/file; AND
2) If the object on the ACL is a group, recursively enumerate the members of this group until it gets down to an individual user level
Basically the client wants to be able audit who has access to their data and ammend appropriately.
I have found a bunch of stuff that solves one part of the problem but not both, at present we are looking to develop our own tool as we just can't find anything matching our requirements at this stage but I thought I would check to see if anyone at AO had seen or used such a tool.
At this stage we are considering:
Develop script that outputs results to HTML - run by Admins
Develop a tool that can be run by clients that is much more graphical.
There is a few issues still to be solved such as:
Who will run the tool
What permissions they will need on AD and the ACL (which will help determine Who will run the tool)
but what I am after is any ideas on tools that may already be out there for this purpose
Thanks
-
November 16th, 2005, 05:51 AM
#2
I personally really like SuperCACLS
http://www.trustedsystems.com/scaclsintro.htm
It'll give you nice printouts, and is quite useful in overall ACL management.
cheers,
catch
-
November 16th, 2005, 05:01 PM
#3
Have a look at AccessEnum
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 17th, 2005, 09:46 AM
#4
I assumed AccessEnum would cover 2 too.. but it doesn't..
I was actually looking for another program but couldn't find it..
I was looking for DumpSec.. http://www.somarsoft.com
It still doesn't do exactly what you want.. but it can enumerate nearly everything..
You might have more luck with hyena (wich is also in the dumpsec download)
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 17th, 2005, 03:32 PM
#5
I would agree with SirDice, as I was going to mention Hyena as well. Very nice tool and it sounds more like what you would be looking for. If I'm not mistaken, DumpSec will giev you an "external" enumeration of a box. Correct me if I'm wrong.
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
November 18th, 2005, 12:41 AM
#6
Dumpsec and Hyena are the closest I have found so far, tried those a couple of days ago. The problem I am having is the:
Needs to produce output that is easily readable and understandable for non IT Savvy users - Which in our organisation means technophobes
Probably the best option I have found so far though is DSRAZOR for Windows http://www.visualclick.com/content/productcvm.htm
which is put out by visual click software, this is pretty good, you can download a free 7 day demo (which returns limited results) but seems really good. It is not free software, not sure on the costing yet - I will be looking at that next week but you get a quote based on # user objects in domain.
-
November 18th, 2005, 09:59 AM
#7
If it was me I'd script something together with perl and Win32::FileSecurity and Win32API::Net..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 20th, 2005, 10:26 PM
#8
If it was me I'd script something together with perl and Win32::FileSecurity and Win32API::Net..
That will more likely then not be what happens, either that or a simple VbScript that outputs simple html
Thanks everyone
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|