> Further to what Jorge said, the reason that there is no such tool (imho, at
> least) is:
>
> a) the wide variety of resources that can be permitted to AD groups. This
> includes things such as exchange public folders; printers; folders on
> workstations; data resources within AD-aware applications; and:
>
> b) the fact that groups are used for other purposes than to specifically
> permit things to them. This includes aggregating users info functional
> groups for a variety of administrative purposes.
>
> Regardless of what your analysis turns up, you might never be able to answer
> the question: "will deleting this group break something, somewhere?" with a
> definite "No".
>
> As Jorge (under)states:
>
> "this is a reason WHY you should design your group(naming), permissions
> and resources very carefully"
>
> There are a number of approaches to achieving this. Rather than tell you my
> particular approach, I'll just share with you the main goal: once properly
> organized, you should never be in the position of wondering what the purpose
> of any particular group is.
>
> /Al
>
> "OnPoint" <OnPo...[ at ]discussions.microsoft.com> wrote in message
>
> news:EDA6A83C-2EF9-4412-BBA1-5049C92AB904[ at ]microsoft.com...
>
>
>
> > Jorge, thanks tremendously for the information. I will do more research on
> > these tools tomorrow when I arrive at the office.
> > --
> > All About Solutions!!
>
> > "Jorge de Almeida Pinto [MVP - DS]" wrote:
>
> >> no there isn't one tool or way to show all permission assignment to
> >> resources for a certain group or user
>
> >> for AD try to use DSREVOKE
> >> for files/folders/shares/services try to use SUBINACL
>
> >> AD is distributed so you would only need to consult one DC for each AD
> >> domain
> >> for other non-distributed resources you need to consult each server
>
> >> this is a reason WHY you should design your group(naming), permissions
> >> and
> >> resources very carefully
>
> >> --
>
> >> Cheers,
> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> >> BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx> >> BLOG (RSS-FEEDS)-->
http://blogs.dirteam.com/blogs/jorge/rss.aspx> >> ------------------------------------------------------------------------------------------
> >> * How to ask a question -->
http://support.microsoft.com/?id=555375> >> ------------------------------------------------------------------------------------------
> >> * This posting is provided "AS IS" with no warranties and confers no
> >> rights!
> >> * Always test ANY suggestion in a test environment before implementing!
> >> ------------------------------------------------------------------------------------------
> >> #################################################
> >> #################################################
> >> ------------------------------------------------------------------------------------------
>
> >> "OnPoint" <OnPo...[ at ]discussions.microsoft.com> wrote in message
> >>news:7339A597-9983-4BCE-A8EF-73D1272A61D9[ at ]microsoft.com...
> >> > Hey folks, newbie here..
>
> >> > Are there any utilities within Windows Server 2003 or Active Directory
> >> > that
> >> > will tell me all of the resources which a particular Global Group
> >> > grants
> >> > access to? So for example, User A is a member of the Global group
> >> > G_TEST_Resources. But no one seems to know what this group gives
> >> > access
> >> > to.
>
> >> > I'm looking for a tool\utility that can tell me if the group gives
> >> > access
> >> > to
> >> > a particular share, a folder on a share, a printer, sharepoint,
> >> > site.etc..
> >> > I
> >> > took a look through the Windows Resource Kit Tools for Server 2003 but
> >> > nothing seemed to jump out. For my client this is a huge compliancy
> >> > issue
> >> > when you dont know what your global groups even give access to..SMH...
> >> > Any
> >> > help is appreciated.
> >> > --
> >> > All About Solutions!!- Hide quoted text -
>
> - Show quoted text -