You can use Dumpsec tool to generate group membership , owner
information and permissions , However you will have manually email this
information which the owners can validate .
HTH . Cheers
Manish Desai
========================================================================
===============================
-----Original Message-----
From: Stephen Hefner [mailto:goneshooting@sbcglobal.net]
Sent: Saturday, March 11, 2006 11:08 AM
To: benoit.fortin@cgi.com; focus-ms@securityfocus.com
Subject: RE: Automate group membership validation
You could script solution 3. For instance you could use the showmbrs or
showlocal tools in the resource kit
Showmbrs \\servers1\somegroup >> ownername.txt
I'm not as familiar with the script to send it via email but one of my
coworkers does that automated emailing all the time through scripts.
-----Original Message-----
From: benoit.fortin@cgi.com [mailto:benoit.fortin@cgi.com]
Sent: Friday, March 10, 2006 6:58 AM
To: focus-ms@securityfocus.com
Subject: Automate group membership validation
Hi,
The company for which I work has a security policy that I have to comply
with. According to this policy, all grouplist providing access to shared
information must be reviewed every 6 months.
I have about 100 different folders, on only one file server, with
different NTFS permissions to manage. Each of those folders has a owner,
and the owners have the responsability to review who can access their
folders.
The security on each folder contains only one group of users and each
group is only assigned to one folder. For example, the folder "folder01"
would only have the "folder01group" group assigned to the folder with
Modify permissions. The different ACLs are only applied on the root of
these folders - so the folder "folder01\subfolder01" will have the same
permissions has its parent (folder01group has Modify permissions).
The domain we are using right now is running on NT domain controllers,
but we are planning to migrate to AD soon. The file server is running
Windows 2000.
Now, what I would like to find is a way to automate the management of
those permissions. Here are some of the solutions could help me with
complying with the new policy :
Solution example number 1 : The owners of the different folders go on
some website (or maybe on some other software on a share). They logon
using some username and password, and then they can view the members of
the different user groups associated with the folders that they manage.
They can validate the group and maybe send an e-mail to the Help Desk so
we can remove the users.
Solution example number 2 : Same as solution 1, except that they can now
manage the removal of users in their groups (the right would be
delegated through AD). However, I don't want them to have to use some
user manager.
They have to get an easy interface where all they see is the folders
names and users names.
Solution example number 3 : Some software running somewhere extracts the
group membership and send e-mails to the owners of the folders each
month.
Anyone here is using a similar setup, or anything similar that could
help me comply with this policy? Or anyone knows some tools that could
help me?
Regards,
B. Fortin
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
