Active Directory - find what objects a group can access

[beatdown]

We have a bunch of Security Groups in Active Directory, which I suspect are outdated and no longer needed. I'd like to delete them, but first I want to make sure they are no longer assigned to any objects, or shared folders, etc...

So my question is, how can I search or query AD, to get a listing of what objects a group has access to?

I assume there must be a way to search for this info, because the only other way to find out, would be to look at the permissions tab of every shared folder on the network.

Thanks!

 

[IllogicallyLogical]

Microsoft's Sysinternals offer tools that should help you painlessly resolve the task you are after. Two such utilities that will quickly enumerate permissions on your servers are AccessChk and AccessEnum. Have a look at the links below.

- AccessChk v4.23

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

- AccessEnum v1.32

http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

Joey
CCNA, MCSA 2003, MCP, A+, Network+, Wireless#

 

[acl03]

Those are some nice tools I didn't know about.

Is there a way to make accesschk only show folder on which permission are explicitly applied? Meaning don't count the file/folder if the user/group in question got its permissions via inheritance.



Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!