Wanted: More Advanced Administration Tool(s)

  • Thread starter Thread starter Yarik
  • Start date Start date
Y

Yarik

Guest
Hello,

Can anyone please recommend any software tool(s) that could help an
administrator (Windows 2003, Windows XP, and eventually Windows
Vista)
to quickly find answers on questions like these:


(1) For a given computer, show all the resources (files, folders,
registry entries, etc.) that have any permissions/restrictions
specified for a given account (local or domain-level account, user or
group)?


(2) For a given resource and account, show all the effective
permissions AND WHY EXACTLY EACH OF THESE PERMISSIONS IS WHAT IT IS?
Ideally, the tool should be aware of implied permissions too (like a
resource owner's implicit permission to change permissions for the
resource).


BTW, it would also be nice if the tool provided some additional help
in managing group memberships. For example, it would be nice if it
allowed to document memberships (i.e. for each group member, document
why exactly does this member has to be in this group).


Thank you,
Yarik.
 
Re: Wanted: More Advanced Administration Tool(s)

Yarik,
Have a look at the Sysinternals tools and then see if you need more:
http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx.
AccessEnum does most of what you want.
The part of your question that says WHY EXACTLY: you would need to focus
that down to get any useful answer,
Hope that helps,
Anthony,
http://www.airdesk.co.uk



"Yarik" <yarik@garlic.com> wrote in message
news:61e0a54d-5946-49dc-abbc-3b7e812f8d97@r15g2000prh.googlegroups.com...
> Hello,
>
> Can anyone please recommend any software tool(s) that could help an
> administrator (Windows 2003, Windows XP, and eventually Windows
> Vista)
> to quickly find answers on questions like these:
>
>
> (1) For a given computer, show all the resources (files, folders,
> registry entries, etc.) that have any permissions/restrictions
> specified for a given account (local or domain-level account, user or
> group)?
>
>
> (2) For a given resource and account, show all the effective
> permissions AND WHY EXACTLY EACH OF THESE PERMISSIONS IS WHAT IT IS?
> Ideally, the tool should be aware of implied permissions too (like a
> resource owner's implicit permission to change permissions for the
> resource).
>
>
> BTW, it would also be nice if the tool provided some additional help
> in managing group memberships. For example, it would be nice if it
> allowed to document memberships (i.e. for each group member, document
> why exactly does this member has to be in this group).
>
>
> Thank you,
> Yarik.
>
>
 
Re: Wanted: More Advanced Administration Tool(s)

"Anthony [MVP]" <anthony@no-reply.com> wrote in message
news:%23ZY3MuS%23IHA.1016@TK2MSFTNGP03.phx.gbl...
> Yarik,
> Have a look at the Sysinternals tools and then see if you need more:
> http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx.
> AccessEnum does most of what you want.
> The part of your question that says WHY EXACTLY: you would need to focus
> that down to get any useful answer,

I posted a similar question a few weeks ago. He wants something similar
to resultant set of policies (RSOP) applied to file system ACLs instead of
group policy. In other words, look at the ACL for the current folder or
file and explain clearly where is each setting coming from (e.g., the read
permission is inherited from three folders up, but the modify permission is
assigned locally on the object).

--
Will


> "Yarik" <yarik@garlic.com> wrote in message
> news:61e0a54d-5946-49dc-abbc-3b7e812f8d97@r15g2000prh.googlegroups.com...
>> Hello,
>>
>> Can anyone please recommend any software tool(s) that could help an
>> administrator (Windows 2003, Windows XP, and eventually Windows
>> Vista)
>> to quickly find answers on questions like these:
>>
>>
>> (1) For a given computer, show all the resources (files, folders,
>> registry entries, etc.) that have any permissions/restrictions
>> specified for a given account (local or domain-level account, user or
>> group)?
>>
>>
>> (2) For a given resource and account, show all the effective
>> permissions AND WHY EXACTLY EACH OF THESE PERMISSIONS IS WHAT IT IS?
>> Ideally, the tool should be aware of implied permissions too (like a
>> resource owner's implicit permission to change permissions for the
>> resource).
>>
>>
>> BTW, it would also be nice if the tool provided some additional help
>> in managing group memberships. For example, it would be nice if it
>> allowed to document memberships (i.e. for each group member, document
>> why exactly does this member has to be in this group).
>>
>>
>> Thank you,
>> Yarik.
 
Re: Wanted: More Advanced Administration Tool(s)

Thanks for the response!

Apparently my question (1) was not formulated properly. What I need is
to find all the ACL items explicitly referring to a given account.

For example, if a file ACL includes some permissions explicitly
specified for user "MyDomain\JohnDoe", I want this file to be found by
the utility (regardless of what those permissions are). However, if
"MyDomain\JohnDoe" has some permissions for a file just because this
user belongs to some group, I do NOT want this file to be found.

I tried AccessChk and AccessEnum - neither of them can do what I
need.

Neither of them helps with my problem (2) either...
 
Back
Top