How can I display User groups and priviledges?

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi, I needs to somehow show all users and what groups and priviledges they
have. This is for our auditors. We somehow need to quickly show them that
we know users out of the IT team can't delegate control, add users to AD etc.

Is this possible? Or do you know of a 3rd party tool that can do this?

Thanks

S

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"SW" <SW@discussions.microsoft.com> wrote in message
news:2385F2AD-9C98-43A3-8D0A-9CF5AEED3EBE@microsoft.com...
> Hi, I needs to somehow show all users and what groups and priviledges they
> have. This is for our auditors. We somehow need to quickly show them
that
> we know users out of the IT team can't delegate control, add users to AD
etc.
>
> Is this possible? Or do you know of a 3rd party tool that can do this?

Not really. (But there are likely 3rd party tools to approximate the task.)

"Privileges" come in several categories and it depends on what you mean
by that but many people would mean "permissions on files" or permissions
on other objects.

Since the permissions on files and other objects (shares, printers,
registry,
AD objects itself, etc.) are stored/set ON THE OBJECTS and not really
given to the user you would need to collect these from the file systems etc.
of every machine in the domain (and any trusting domains.)

It's not really impossible, but permission are not really "given to the
user";
they allow the user to perform some task.

Likely no "auditor" could make sense of the data if he were given ALL OF
IT -- unless that auditor brought his own tools and knew what to look for
and how to tweak the tools himself.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]