Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Automate group membership validation

from [Lubrano di Ciccone, Christophe (DEF)] Network Security [Permanent Link]
Subject: RE: Automate group membership validation
Date: Fri, 10 Mar 2006 18:05:12 +0100 
You can do this script stuff that you will be able to reuse with 2000/2003 AD.

install wmi on the nT4 PDC.
That's allow to run vbs (see richard mueller web site 
http://www.rlmueller.net/freecode3.htm) 
Add extra feature to create unique file per group with the group name as file 
name
Build simple text file group name;owner smtp address

Create a script having this logic.
Open the simple text file as dictionnary
For each itemi
Send itemi to itemii

Hope this help
Cheers
christophe

-----Original Message-----
From: Desai, Manish [mailto:MDESAI@HIPUSA.com] 
Sent: Friday, March 10, 2006 5:25 PM
To: Stephen Hefner; benoit.fortin@cgi.com; focus-ms@securityfocus.com
Subject: RE: Automate group membership validation

You can use Dumpsec tool to generate group membership , owner
information and permissions , However you will have  manually email this
information which the owners can validate .

HTH . Cheers

Manish Desai  
========================================================================
===============================

-----Original Message-----
From: Stephen Hefner [mailto:goneshooting@sbcglobal.net] 
Sent: Saturday, March 11, 2006 11:08 AM
To: benoit.fortin@cgi.com; focus-ms@securityfocus.com
Subject: RE: Automate group membership validation

You could script solution 3.  For instance you could use the showmbrs or
showlocal tools in the resource kit 

Showmbrs \\servers1\somegroup >> ownername.txt 

I'm not as familiar with the script to send it via email but one of my
coworkers does that automated emailing all the time through scripts.





-----Original Message-----
From: benoit.fortin@cgi.com [mailto:benoit.fortin@cgi.com]
Sent: Friday, March 10, 2006 6:58 AM
To: focus-ms@securityfocus.com
Subject: Automate group membership validation

Hi,

The company for which I work has a security policy that I have to comply
with. According to this policy, all grouplist providing access to shared
information must be reviewed every 6 months.

I have about 100 different folders, on only one file server, with
different NTFS permissions to manage. Each of those folders has a owner,
and the owners have the responsability to review who can access their
folders.

The security on each folder contains only one group of users and each
group is only assigned to one folder. For example, the folder "folder01"
would only have the "folder01group" group assigned to the folder with
Modify permissions. The different ACLs are only applied on the root of
these folders - so the folder "folder01\subfolder01" will have the same
permissions has its parent (folder01group has Modify permissions).

The domain we are using right now is running on NT domain controllers,
but we are planning to migrate to AD soon. The file server is running
Windows 2000.

Now, what I would like to find is a way to automate the management of
those permissions. Here are some of the solutions could help me with
complying with the new policy :

Solution example number 1 : The owners of the different folders go on
some website (or maybe on some other software on a share). They logon
using some username and password, and then they can view the members of
the different user groups associated with the folders that they manage.
They can validate the group and maybe send an e-mail to the Help Desk so
we can remove the users.

Solution example number 2 : Same as solution 1, except that they can now
manage the removal of users in their groups (the right would be
delegated through AD). However, I don't want them to have to use some
user manager.
They have to get an easy interface where all they see is the folders
names and users names.

Solution example number 3 : Some software running somewhere extracts the
group membership and send e-mails to the owners of the folders each
month.

Anyone here is using a similar setup, or anything similar that could
help me comply with this policy? Or anyone knows some tools that could
help me?

Regards,

B. Fortin

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: user logon script context...., todd
Next by Date:  RE: Automate group membership validation, benoit . fortin
Previous by Thread:  RE: Automate group membership validation, Desai, Manish
Next by Thread:  RE: Automate group membership validation, benoit . fortin
Indexes:  [Date] [Thread] [Top] [All Lists]