Archived from groups: microsoft.public.win2000.security (
More info?)
First off you need to understand your terms.
An ACL is a security structure that contains ownership information as well as
auditing information as well as permissioning information. I do not believe
there is a tool in existence that will check for duplicate ACL across all
securable resources in a network.
Most likely you are looking for where a given security principal has been added
to an ACL to grant access. Security principals are added to ACEs which are in
the permission section of an ACL.
Even checking all securable resources for a specific security principal is
rather difficult. Too difficult and luckily MS has realized this and working
towards a better future, but that is in the future. Right now, something would
need to scan the ACL of every securable resource looking for that ACE. This is
non-trivial. Breaking it down to specific securable resources such as
Directories and shares makes it easier but doesn't make it easy as every object
(i.e. every file, every directory, every share) still has to be scanned for the
security principal.
There are third party tools out there that claim to do this, you can also invest
time in writing scripts to do so. For most people, the answer is generally no,
this can't be done but it is strictly a feasibility issue, not actually
technically impossible. It comes down to how much money do you want to spend to
get the answer.
The is all countered by having extremely strong standards for securing objects
and severely punishing deviations from that standard when found.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Martin Kelly wrote:
> My Security guys tell me this can't be done and I just don't believe them.
> I've got an ACL on a Windows 2000 Domain and I'd like to know all the objects
> on the doamin that this ACL has been applied. Really I'm looking for what
> Directories/Shares does this ACL have permissions?
>
> Are my Security guys correct?
>
> Martin