Re: Determine what permissions a group has?
- From: David Brown <david.brown@xxxxxxxxx>
- Date: Thu, 13 Sep 2007 19:48:44 +0000 (UTC)
Hello DJBrown,
I just realized I gave you the wrong tool. XCACLS reads the NTFS perms. For AD permissions, you need DSACLS.exe. It would still be a huge pain to use in this task though.
Hello clh,
The permissions are stored in the ACL of the resource, not the group,
so it's difficult. Basically you have to poll each resource and see
which groups have permissions to it. XCACLS.exe or a VBScript can
read ACLs.
You could make a series of printer-membership groups and name them so
that they are closely related to the printer name - Acct_prt and
Acct_prtG, pg#Acct_prt or whatever. Knowing one would give you the
other.
One possible option: You could query AD for printQueue objects to get
your list of printers and roll through those (slow) or you could put
each of those printer-membership groups into a master-printer group,
so that you could poll the membership of one master list to get the
complete list of printer-membership groups, then compare that to the
user's membership. When you get a match deploy the printer.
That way you don't have to worry about messy printer names or querying
a huge AD structure each time you deploy. Groups are back-linked
(member / memberOf) so it works in both directions.
printers
.. acct_prt
.. mkt_prt
.. george_hp4000
master-Printer_grp (members)
.. acct_prtG
.. mkt_prtG
.. george_hp4000G
George (memberOf)
.. domain users
.. george_hp4000G
Mary (memberOf)
.. domain users
.. acct_prtG
.. george_hp4000G
etc...
Is it possible to somehow query an AD group and find out what
resources it has permissions to? I've found some info and examples
on determining what has permissions to a directory given the
directory name, but nothing going from the group side back to the
resource.
What I really want to do is deploy printers via group membership.
BUT, I don't want to have to maintain an explicit list either in the
.vbs or a separate config file that maps groups to printers. I'd like
to be able to assign the printer share permission from a specific AD
group, then I can query the group to find out what printers it has
permissions to and then install those printers.
I already know how to get group memberships for a user, and how to
deploy printers in general. It's just the working backwards from a
group to determine what printers it has permissions to that I'm
missing, if it's even possible.
.
- References:
- Re: Determine what permissions a group has?
- From: David Brown
- Re: Determine what permissions a group has?
- Prev by Date: Finding duplicates with RegEX
- Next by Date: Re: Finding duplicates with RegEX
- Previous by thread: Re: Determine what permissions a group has?
- Next by thread: RE: Determine what permissions a group has?
- Index(es):
Relevant Pages
|
