Tool that can report NTFS permissions by group?

[hillboy]

I am looking for a tool that can report the NTFS permissions on our file server based on group membership.

My problem is that I have a few hundred global groups and need to know which groups are outdated and do not have permissions on the file server. If a group doesn't have any permissions then I know that I can delete it.

Thanks in advance for any help.

 

[yizhar]

HI.

You can do it in 4 steps.

1) Create a report of the NTFS permissions, and save it to a text file.
You can use a tool like DumpSec from here:

http://www.somarsoft.com

Let's say you saved the report to file:
C:\PERMISSIONS.TXT

2) Create a list of group names:
NET GROUP >GROUPLIST.TXT

3) Create a batch file that takes 1 parameter (group name) and checks if that parameter is found in the report.
Something similar to this one:
Lest call the batch file: LOOKFORGROUP.CMD

FIND /I "%1" C:\PERMISSIONS.TXT
IF ERRORLEVEL 1 ECHO %1 >>C:\NOTFOUND.TXT

Test by running the batch file to verify that it works as expected.

4) Now play with the GROUPLIST.TXT file in a powerfull text editor (like NOTEPAD) to create a batch file that will run the previous batch file agains any group in the list, something like this:

CALL LOOKFORGROUP.CMD GROUP1
CALL LOOKFORGROUP.CMD GROUP2
CALL LOOKFORGROUP.CMD GROUP3
....

An alternate option of the above step, you can keep the GROUPLIST.TXT file as is (just trim the first few unneeded lines from it), and use a command like this:

FOR /F %G IN (GROUPLIST.TXT) DO LOOKFORGROUP.CMD %G

This will work on XP machines. I don't think that the FOR /F syntax works on NT4 .


I suggest that you take the initial reports from the real server, but run the batch files on a workstation and not at the server itself.

Good luck.


Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar