Ask the Expert

Backward checking permission for groups in Active Directory

We are new to AD and are trying to do some cleanup. We have a ton of groups, some which are legacy groups and may not be needed anymore. Is there any way to backward check permissions for these groups? In other words, we're trying to find out what a group has access to in order to determine if the group is still needed. Can AD accomplish this? If not, do you know of a tool that can? Thanks much!

Requires Free Membership to View

This is not something that AD does. It seems like you are asking if the various user groups have access to resources. They confirm that you would have to check the permissions, group membership, and control lists on shares. The Active Directory Migration Tool can help with some of this and managing any big changes. There are also several Resource Kit utilities that allow you to check permissions and groups memberships. Scripted solutions are an option -- the Microsoft Script Center and the Script Center Depotare good choices. I have no doubt that there are utilities that you could purchase for this as well; however, I have a habit of selecting free tools.

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

This was first published in December 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: