Q

Backward checking permission for groups in Active Directory

Get some useful tips for cleaning up you Active Directory.

We are new to AD and are trying to do some cleanup. We have a ton of groups, some which are legacy groups and may not be needed anymore. Is there any way to backward check permissions for these groups? In other words, we're trying to find out what a group has access to in order to determine if the group is still needed. Can AD accomplish this? If not, do you know of a tool that can? Thanks much!
This is not something that AD does. It seems like you are asking if the various user groups have access to resources. They confirm that you would have to check the permissions, group membership, and control lists on shares. The Active Directory Migration Tool can help with some of this and managing any big changes. There are also several Resource Kit utilities that allow you to check permissions and groups memberships. Scripted solutions are an option -- the Microsoft Script Center and the Script Center Depotare good choices. I have no doubt that there are utilities that you could purchase for this as well; however, I have a habit of selecting free tools.

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

This was first published in December 2004

Dig deeper on Microsoft Active Directory Tools and Troubleshooting

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close