From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: Montag, 2. Mai 2005 17:06
To: [email protected]
Subject: [ActiveDir] Checking if security principal is used in an ACL on the FS
Hi,
After a migration we did we want to cleanup some security principals (mostly groups)
Situation:
* File server with
data that uses AD groups for the ACLs
* AD OU structure with groups
where most of them are used on the file system to protect in some manner. (the
groups are not used for anything else!)
What I want to
do:
* Cleanup
ALL unused groups
Possible unused groups
that can be removed:
(1) groups with no members but used on the file system
(2) groups with members but not
used anywhere on the file system
Solution for (1)
* Query AD for al
empty groups from the OU structure and delete them
* Force AD replication
* Use SUBINACL to
remove deleted SIDs with the option /CLEANDELETEDSIDSFROM
Solution for (2)
* Get all used SIDs used on the file
system
* Get all GROUP SIDs
from AD
* "Extract the file
system SIDs from the GROUP sids in AD and remove the groups that are left
Anyone got any other ideas or a tool that can do this for (2)
PS.: It would be nice if the file system was integrated with AD like in the NDS
Cheers,
#JORGE#
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
