Let me preface what will probably be a longish answer with "There is no simple solution".
Solving this will take some strategic work (which is why I recommended not moving this to SF).
Now I will explain why.
Windows, at its core, is mostly based on the DAC model of access control.
Everything in the OS is securable with an ACL - files, folders, registry, named pipes, sockets, shares, etc etc.
Using AD groups allows you to abstract that into an RBAC-type model, but internally it's still a DAC model. (What I mean is, you can create an ACE (access control entry) for a group (i.e. role), but you're still creating an ACE - and that is what will be verified on access).
Emphasis on "mostly".
There are a few distinct exceptions to this:
- There is some implementation of MAC - i.e. Integrity Levels (in Vista/7/2008).
However, this is usually and internal OS protection mechanism, and is usually not leveraged for real access control (other than the built-in UAC). Usually.
- OS-level privileges. (Though it is possible to specify a specific user to grant these privileges to, it is intended - and functions as - a RBAC model).
But wait, that's just in the OS itself...
Windows, as a platform, allows and encourages applications (3rd party, MS products, and OS addons) to use AD group membership as an RBAC mechanism:
- 3rd party applications can verify group membership via a simple AD/LDAP lookup - these apps might be storing the group name and resolving on that, or saving the group's SID and querying directly for that.
- Don't forget SQL Server - this is mainly based on (several different types of) roles, however best practice is usually recommended to add AD groups to these roles, and not the users directly.
- As long as we're at it, COM+ also manages access by RBAC, but again best practice is to add groups, not users, to COM+ roles.
- Sharepoint also manages access to sites according to roles / groups / and mailing lists...
Starting to see my point?
I don't want to say it's hopeless, BUT...
To recap:
In order to find the definitive list of permissions a specific group has, you (or a tool) would need to recursively check ALL of the following (and, dont forget to recurse on group membership, too):
- For each server in your org:
- recursively check ACL on all folders and files
- recursively check SACL on all folders and files (system access control lists - these control auditing)
- recursively check owner on all folders and files
- recursively check ACL, SACL, and owner on all registry keys
- recursively check ACL, SACL, and owner on all named pipes, processes and threads, services, jobs, etc.
- Check all OS level privileges (though it is possible this can be made easier using GPOs...)
- Check all COM+ roles, MSMQ roles, etc.
- For each domain in your AD:
- Check all domain-level privileges
- check all GPOs (group policy objects)
- For each database server:
- Check all server roles
- check all database roles
- check all application roles (in MSSQL)
- For each Sharepoint portal:
- check all server-level roles and privileges
- check all site-level and list-level roles and privileges
- For each 3rd party application:
- Check any use of AD groups
- verify how the app uses these roles:
-> Group name vs. DN vs. group SID vs. ... e.g. group GUID
-> does the app explictly check direct role membership, or does it use the "smarter" recursive methods?
- Note that this applies both to 3rd party packaged products and platforms (e.g. Oracle, SAP, MQSeries, WebSphere... ), and to custom developed business apps.
Is this complete?
Sadly, no. For example I didnt include reviewing all desktops in the org, since those shouldnt have specific AD-group level permissions set on them (except for e.g. Administrators and HelpDesk) - but note that they often do.
But this is not a complete list...
This is the big disadvantage to using a DAC model - the "D
" could just as well have been for "Distributed", since there is not central place to look up all these ACLs.
As I noted in What is the difference between RBAC and DAC/ACL?:
- DAC definitions are typically attached to the data/resource, whereas RBAC is usually defined in two places: in code/configuration/metadata (the roles access), and on the user object (or table - the roles each user has).
Now, a little about solutions:
- There are several tools to collect different parts of the above lists, e.g. @Ian's answer using powershell scripts to collect folder ACLs. There are many other tools for that (I've been known to use CACLS in the past), some are noted here.
For requesting a tool/script for a specific part of the list, you might get better ideas at ServerFault. However take into account that it's only one part of the list.
- There are "role management" and "role discovery" products out there, from some of the big vendors, usually in the Identity Management space - I cant specifically recommend one, but worth looking into: CA (formerly Eurekify which was a decent (though not complete) tool), IBM, Oracle.
Of course there are others, and I would lean heavily towards finding best-of-breed smaller vendors, even from a startup (okay, maybe I am biased ;) ). I mean, from those that havent been bought out by the bigger vendors.
- You could (and probably should, though this is far from trivial) start the process of mapping out the organization, business requirements, and such - aiming for what privileges they should get, and not just what the status quo is right now. Some of the tools mentioned in the previous point could help here.
- If the previous roles analysis and modeling goes well, consider going for a full-blown IdM/IAM/EAM solution. Again, my comments wrt vendors still stands.
- In any event, aim towards minimizing the distribution of ACLs all over the place, and push for minimal RBAC, centralized as much as possible.
And, a final word of warning to those who are lucky enough to be before the unpleasant situation you currently find yourself in:
Definitely look into a centralized authorization platform, such as IdM/IAM/EAM products. (Note that some are much better than others, and some wouldn't even solve this situation either.)
tl;dr: You are rightly and truly screwed. See above. ;)
(but all hope is not lost...)