Printing AD items

[Guest]

How can I print what users are in certain AD Groups and what folders each
group has rights to. I can export a list of users to a txt file. But it only
list the users and groups, nothing about their rights etc.

 

[Herb Martin]

How can I print what users are in certain AD Groups and what folders each
group has rights to. I can export a list of users to a txt file. But it only
list the users and groups, nothing about their rights etc.

You cannot print the Group members from within
AD Users/Computers (which you likely realized)
since Groups are NOT "containers" and don't appear
in the left browser pain to be printed like OUs (which
are containers.)

For Groups you can use on of the the Global.exe and
Local.exe programs from the ResKit (likely free on the
MS Website but not all of these tools are there.)

You can also write a script (VBS etc.) to do this or
look at some of the sample/tool scripts that are also
in the ResKit.

There is no practical way to show which folders
each group has permission to access -- unless you
can isolate the location of those folders (e.g., on
some specific file server.)

In which case you may be able to use a tool like
SetAcl (free from SourceForge.net) or perhaps
the (poorly documented?) ShowAccs.exe from the
Support Tools.

Also note that the term "Folder" is not a clear term
in spite of it's current popularity, so I presume you
mean SHARES, but you might mean permissions
on Files and Directories. SetAcl, along with the
more normal CACLS.exe and XCACLS.exe are the
tools for NTFS file and directory permissions.

The problem with shares is that there is no trivial
way to find all permissions given to a User or Group
across all machines within the Domain (or larger trust
relationship, i.e., Forest or manual trusts) because
there is no trivial way to find all such shares.

As long as you can locate the shares, or at least the servers
you can list the shares with "net share" on each server.

Then "net share SHARENAME" will (at least in theory)
show you the users/groups with their permissions on that
share.

Net Share must however be excuted locally.

Computer Manager can also give you the list of shares on
each server, and even let you export it but since you cannot
get an exportable/printable list of users/groups there you
might as well use the command line for the entire process.

SrvCheck from the ResKit comes closest (I just found this
one <thanks>) since it gives the list of Shares and Permissions
in one command.

Send the output to a file and print it from notepad, etc.
[/QUOTE]

 

[Herb Martin]

How can I print what users are in certain AD Groups and what folders each
group has rights to. I can export a list of users to a txt file. But it only
list the users and groups, nothing about their rights etc.

You cannot print the Group members from within
AD Users/Computers (which you likely realized)
since Groups are NOT "containers" and don't appear
in the left browser pain to be printed like OUs (which
are containers.)

For Groups you can use on of the the Global.exe and
Local.exe programs from the ResKit (likely free on the
MS Website but not all of these tools are there.)

You can also write a script (VBS etc.) to do this or
look at some of the sample/tool scripts that are also
in the ResKit.

There is no practical way to show which folders
each group has permission to access -- unless you
can isolate the location of those folders (e.g., on
some specific file server.)

In which case you may be able to use a tool like
SetAcl (free from SourceForge.net) or perhaps
the (poorly documented?) ShowAccs.exe from the
Support Tools.

Also note that the term "Folder" is not a clear term
in spite of it's current popularity, so I presume you
mean SHARES, but you might mean permissions
on Files and Directories. SetAcl, along with the
more normal CACLS.exe and XCACLS.exe are the
tools for NTFS file and directory permissions.

The problem with shares (& NTFS) is that there is no
trivial way to find all permissions given to a User or
Group across all machines within the Domain (or larger
trust relationship, i.e., Forest or manual trusts) because
there is no trivial way to find all such shares.

As long as you can locate the shares, or at least the servers
you can list the shares with "net share" on each server.

Then "net share SHARENAME" will (at least in theory)
show you the users/groups with their permissions on that
share.

Net Share must however be excuted locally.

Computer Manager can also give you the list of shares on
each server, and even let you export it but since you cannot
get an exportable/printable list of users/groups there you
might as well use the command line for the entire process.

SrvCheck from the ResKit comes closest (I just found this
one <thanks>) since it gives the list of Shares and Permissions
in one command.

Send the output to a file and print it from notepad, etc.

[/QUOTE]