Ouch.
How large an environment are we talking about? You could use something like
DumpSec to list the DACLs and SACLs (and it's important to list the SACLs,
because the group could be being used for auditing purposes as well as
permissions granting) and could then parse the output, but depending on the size
of the environment and how much you really want to do this, that may not be
feasible/desirable. Unfortunately, auditing your DCs isn't going to tell you
where the group is being used in ACLs, if at all.
There
may be other options that aren't occurring to me at the moment, however.
:-)
Laura
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Wednesday, September 06, 2006 2:12 PM
To: [email protected]
Subject: RE: [ActiveDir] Is a Global Security group being used?The tough one... being used in resource ACLs
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Wednesday, September 06, 2006 10:16
To: [email protected]
Subject: RE: [ActiveDir] Is a Global Security group being used?What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups?Laura
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Wednesday, September 06, 2006 12:44 PM
To: [email protected]
Subject: [ActiveDir] Is a Global Security group being used?Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this?Thanks in advance.Johnny Figueroa
