RE: [ActiveDir] group membership script question

[Rich Milburn]

Thanks Guido.   You hit the nail on the head, “…a good overall group-concept for managing access…” Getting the business process in place is probably more difficult than the technical aspects.  I’ve yet to work anywhere that has done a really good job of this yet, and at one place we looked at a role management tool that would have been too much to ask to get our people to grasp role-based administration so they could use it effectively.   Rich     From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 21, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] group membership script question   if you just compare the ACLs on the chosen shares, you'd miss which other shares / folders and whatever other resources may also be secured by a specific group => in the end, you may grant Jim Bob and Curley Sue a lot more access than you had originally intended, simply by adding them to a group determined with your described method.   As such, it is benefitial, to have a good overall group-concept for managing access to your resources. This concept should defintely contain a useful naming convention for groups, so that you can determine what a group is used simply be it's name.  To get there, you may first need to dump and clean-up / structure your current ACLs.  There are a lot of good tools available to help you with this task (e.g. dumpsec, a.k.a dumpacl from http://www.somarsoft.com/)   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Montag, 19. Januar 2004 23:13 To: [EMAIL PROTECTED] Subject: [ActiveDir] group membership script question You know how sometimes you see these requests (or your help desk does) for: “Please give Jim Bob and Curly Sue access to \\server1\accounting, \\server3\cashcount, and \\server5\dontlookhere” and you think, “hmmm, now what group gives rights to those 3 servers because I’m not going to add Jim Bob or Curly Sue individual rights to those directories… Wouldn’t it be nice to have a script that says,   Enter list of shares to check Compare ACLs on shares Print list of groups with common rights on those shares   ?   Or maybe some variation on that.  In any event it’s a daily thing, having to go look at which groups to add a user to.  How do others resolve this issue?  Going to roles-based security is not easy without money for a third-party add-on.  Or is it?   Thanks Rich               -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.