Problem solve Get help with specific problems with your technologies, process and projects.

Backward checking permission for groups in Active Directory

Get some useful tips for cleaning up you Active Directory.

We are new to AD and are trying to do some cleanup. We have a ton of groups, some which are legacy groups and may not be needed anymore. Is there any way to backward check permissions for these groups? In other words, we're trying to find out what a group has access to in order to determine if the group is still needed. Can AD accomplish this? If not, do you know of a tool that can? Thanks much!
This is not something that AD does. It seems like you are asking if the various user groups have access to resources. They confirm that you would have to check the permissions, group membership, and control lists on shares. The Active Directory Migration Tool can help with some of this and managing any big changes. There are also several Resource Kit utilities that allow you to check permissions and groups memberships. Scripted solutions are an option -- the Microsoft Script Center and the Script Center Depotare good choices. I have no doubt that there are utilities that you could purchase for this as well; however, I have a habit of selecting free tools.

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

Dig Deeper on Windows administration tools

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.