We are new to AD and are trying to do some cleanup. We have a ton of groups, some which are legacy groups and may not be needed anymore. Is there any way to backward check permissions for these groups? In other words, we're trying to find out what a group has access to in order to determine if the group is still needed. Can AD accomplish this? If not, do you know of a tool that can? Thanks much!
This is not something that AD does. It seems like you are asking if the various user groups have access to resources. They confirm that you would have to check the permissions, group membership, and control lists on shares. The Active Directory Migration Tool can help with some of this and managing any big changes. There are also several Resource Kit utilities that allow you to check permissions and groups memberships. Scripted solutions are an option -- the
Microsoft Script Center
Script Center Depot
are good choices. I have no doubt that there are utilities that you could purchase for this as well; however, I have a habit of selecting free tools.
Additional Expert Help: Be sure to check our Answer FAQ for more expert advice. For faster answers, visit ITKnowledge...