VeeshanVault

We are currently switching over to a global domain and in the process we have to validate all of our groups in AD. I came across a group that has 50 or so people in it but I cant seem to find what the group controls. The group has no description and the members dont give any clues as to what it was for. Does anyone know a way to search the network for what this group possibly controls? I tried the obvious of removing a few people to see if anything changed for them and nothing seemed to change but I cant risk just removing everyone and seeing what happens.

You could try something like:

cacls *.* /s > foo.txt

Then filter the output using find:

find "Group Name" foo.txt

perl would be a better tool.. since DOS find kinda sucks feature wise.

Certainly cacls will show you if the group is used on the file system level, I don't know of a similar tool for share permissions, but hopefully that's manually searchable?

sarlen wrote:We are currently switching over to a global domain and in the process we have to validate all of our groups in AD. I came across a group that has 50 or so people in it but I cant seem to find what the group controls. The group has no description and the members dont give any clues as to what it was for. Does anyone know a way to search the network for what this group possibly controls? I tried the obvious of removing a few people to see if anything changed for them and nothing seemed to change but I cant risk just removing everyone and seeing what happens.

This is one of the problems with AD. Once you give a group control to a ressource, there's no way(that I know of) to backtrack what the group controls.

I found a tool that looks like it will pull the info I need http://www.systemtools.com/hyena/index.html not sure if its exactly what im looking for but gona give it a try.

Also, it could not be used by anything else in AD. An external application could check AD for group membership, and that wouldn't be reflected anywhere in the tree...

Zeep