9
1
For a Windows domain, is there a way to see for a certain user or group, where the user/group has permissions?
Primarily: List which files / folders the user can access on a certain network share. (Kind of a recursive "effective permissions") However, other permissions would be cool as well.
I believe I've seen such a tool in action, but I can't remember anything beyond that - so this might be a false memory.
Recommendations?
peterchen
Posted 2013-06-28T12:00:56.867
Reputation: 1 602
4
Windows Sysinternals has a tool AccessEnum which states: "While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary." Good Luck!
f1assistance
Posted 2013-06-28T12:00:56.867
Reputation: 658
9
The net user command might be what you are locking for. The syntax is as follows:
net user /domain [username]
Sample Return:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>net user /domain joneswac
The request will be processed at a domain controller for domain MY.SCHOOL.EDU.
User name joneswac
Full Name Wesley P Jones
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/6/2013 3:51:33 PM
Password expires Never
Password changeable 5/6/2013 3:51:33 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory \\WONDERFULSCHOOL\students\joneswac
Last logon 6/1/2013 3:31:50 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *SOCIAL AND BEHAVIORAL*IT Boot Camp Admin
*Students *Registered for Classe
*Domain Users *90B SOC SCI TCH PLAN
The command completed successfully.
C:\Windows\system32>
edit: removed typo character from command
iamwpj
Posted 2013-06-28T12:00:56.867
Reputation: 434
2
view all login user group (nested too):
DSQUERY USER -name %Username% | DSGET USER -memberof -expand | DSGET GROUP -sid -samid | more
view all user group (nested too):
DSQUERY USER -name <user name> | DSGET USER -memberof -expand | DSGET GROUP -sid -samid | more
view all memberof group (nested too):
DSQUERY GROUP -name "Nected Group Set of resources 1" | DSGET GROUP -memberof -expand | DSGET GROUP -sid -samid
view all members group (nested too):
DSQUERY GROUP -name "Nected Group Set of resources 1" | DSGET GROUP -members -expand | DSGET GROUP -sid -samid
view curent user permission, see too /Z /V ... /R options:
GPRESULT /USER %username%
view curent user prop:
dsquery * -filter "(samAccountName=%username%)" -attr *
GUI:
STTR
Posted 2013-06-28T12:00:56.867
Reputation: 6 180
3The PDF! : Effective Permissions link is broken. – Kjell Rilbe – 2015-12-08T05:18:35.470
0
You can use also ADSISearcher:
([ADSISearcher]"(&(ObjectCategory=User)(cn=Lastname, Firstname))").FindOne().properties
This will return only the permissions of the user but in full list view
Maksim Luzik
Posted 2013-06-28T12:00:56.867
Reputation: 221
0
The best recommendation in my mind is DREP, a very powerful system that allows you to check and track the real file system permissions. You can switch your point of view to single user (even on multiple configured file server) or to single file/folder.
Chiara
Posted 2013-06-28T12:00:56.867
Reputation: 1
1How does this show permissions? It doesn't. It just shows basic user info. – Tacony – 2019-07-23T15:58:20.580