Re: RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing

[Will Froning <will.froning () GMAIL COM>]

Hello All,

On Tue, Feb 23, 2010 at 2:02 AM, Chris Green <cmgreen () uab edu> wrote:
> Try:
>
> http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
>
> AD does do a good job of displaying what GROUPS someone is a member of so if you can enforce most permissions are 
> done by group, you can take care of most of your typical edge cases.  However, it just takes one lazy ACL to get that 
> to be a "scan everything".
>
> On the same topic, anyone know a simple way to do similar for SharePoint?

I've never used this, but I think it does what you both need:

<http://www.scriptlogic.com/products/enterprisesecurityreporter/>

Having said that, we use group-based share permissions.  So we don't
really mess with NTFS.  It puts more of the onus on central IT for the
initial setup, but we know/think it's done right.

Thanks,
Will

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Conlee, Keith
> Sent: Monday, February 22, 2010 3:40 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing
>
> TOPIC:  Security and File Sharing using Microsoft Active Directory (AD)
>
> I apologize for resending this message.  The first time my Subject line was the generic date/time of issue of the 
> current Security Digest and not about the topic of the text I posted.
>
> We implement file sharing with Novell but will soon be migrating off of Novell and implementing file sharing with AD. 
>  With Novell file sharing the files/folders a user has access to are attributes of the user's Novell account (under 
> the "Memberships", and "Rights to Files/Folders" tabs).  So it is very easy to find out what shared files/folders a 
> user has access just by looking at what in recorded in the user's individual Novell account information.  BUT with 
> implementing file sharing with AD, the designation of what files/folders a user has access is an attribute of each 
> file or folder (at Properties->Security tab).  So with AD file sharing it is extremely difficult to know what 
> files/folders an individual user has access to without going to each shared file/folder in the system and look to see 
> if the user has access to it.  HELP!
>
> QUESTION:  Is there a utility or a methodology out there somewhere that can be run against an AD file sharing 
> implementation that I can execute with "user ID" variable that will generate a report of what files/folders the 
> specified "user ID" has access to?
>
> Thanks for any help you can give.  If you just want to contact me directly, my contact information is below.
>
> Keith Conlee, CISSP, CBCP
> Chief Security Officer, IT
> College of DuPage
> 425 Fawell Blvd.
> Glen Ellyn, IL 60137-6599
>
> Ph. - 630.942.3055
> Fax. - 630.790.0325



-- 
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning