Re: Determine what permissions a group has?

Hello clh,

The permissions are stored in the ACL of the resource, not the group, so it's difficult. Basically you have to poll each resource and see which groups have permissions to it. XCACLS.exe or a VBScript can read ACLs.

You could make a series of printer-membership groups and name them so that they are closely related to the printer name - Acct_prt and Acct_prtG, pg#Acct_prt or whatever. Knowing one would give you the other.

One possible option: You could query AD for printQueue objects to get your list of printers and roll through those (slow) or you could put each of those printer-membership groups into a master-printer group, so that you could poll the membership of one master list to get the complete list of printer-membership groups, then compare that to the user's membership. When you get a match deploy the printer.

That way you don't have to worry about messy printer names or querying a huge AD structure each time you deploy. Groups are back-linked (member / memberOf) so it works in both directions.

printers
... acct_prt
... mkt_prt
... george_hp4000

master-Printer_grp (members)
... acct_prtG
... mkt_prtG
... george_hp4000G

George (memberOf)
... domain users
... george_hp4000G

Mary (memberOf)
... domain users
... acct_prtG
... george_hp4000G

etc...




Is it possible to somehow query an AD group and find out what
resources it has permissions to? I've found some info and examples on
determining what has permissions to a directory given the directory
name, but nothing going from the group side back to the resource.

What I really want to do is deploy printers via group membership.
BUT, I don't want to have to maintain an explicit list either in the
.vbs or a separate config file that maps groups to printers. I'd like
to be able to assign the printer share permission from a specific AD
group, then I can query the group to find out what printers it has
permissions to and then install those printers.

I already know how to get group memberships for a user, and how to
deploy printers in general. It's just the working backwards from a
group to determine what printers it has permissions to that I'm
missing, if it's even possible.




.

Relevant Pages

  • Re: Default file/folder security permissions for a new user
    ... The membership of Authenticated Users is determined when that user ... exclude) resource access to user accounts that you knew about and/or were ... You are not looking at HIM, you are looking at the permissions associated ...
    (microsoft.public.windows.server.security)
  • Re: Determine what permissions a group has?
    ... For AD permissions, you need DSACLS.exe. ... The permissions are stored in the ACL of the resource, not the group, ... your list of printers and roll through those or you could put ... so that you could poll the membership of one master list to get the ...
    (microsoft.public.scripting.vbscript)
  • Handling ACL Groups
    ... membership in multiple groups. ... Whenever they accessed a resource, ... effective permissions were a sum of all the groups' permissions plus ... and if a linux client passes all ...
    (alt.os.linux)
  • Group ACLs
    ... membership in multiple groups. ... Whenever they accessed a resource, ... effective permissions were a sum of all the groups' permissions plus ... and if a linux client passes all ...
    (comp.os.linux.networking)
  • Inherited permissions for printers
    ... to be able to specify what the default security permissions will be set to. ... We have a Windows 2000 domain with print queues set up locally on Windows ... 2000 Advanced Server member servers. ... and so has full permissions to create new printers locally. ...
    (microsoft.public.win2000.active_directory)