I've inherited an AD domain and servers with MANY groups - a lot of which are
likely obsolete (for example, "MA-Y2K"). I'd like to whittle down the list by
finding if there are even resources assigning permissions to certain groups.
How can I, by script or other method, determine all/any resources assigned to
a particular group?

For example, I could enter "FindAssignedResources.vbs MA-Y2K" on my file
server and I would get back a list of files and folders that had *any*
permissions assigned specifically to that group. It might be tedious (I'd run
it overnight with output to a text file) but proper housekeeping is never
easy.

Dave,

Similar topic came up yesterday in another group.  Check out the following:
http://groups.google.com/group/microsoft.public.windows.server.active_directory/browse_thread/thread/b432a8d85487074d

Best,
Show quoteHide quote

Show quote Hide quote Proper housekeeping would be, of course, easier if it had been maintained
all along...

There are a couple of issues here:

- the extent of "resources" that are permitted to the groups. NTSF
permissions on servers, though tedious, are relatively easy to deal with. If
Exchange server is involved, then there is the possibility that some of the
groups are used to assign various rights on exchange objects. There is also
the possibility of permissions on workstations having been set up for some
undocumented purpose (i.e. to run software that would otherwise require
admin privs to function). Perhaps other types of resources make use of
permissions.

- the "organization" of the groups, and of how folders are permitted. If
this has been done methodically using best practices, your job will be
simplified. Our practice is that groups that are actually given permission
to resources follow these restrictions:

--- there is a strict one-to-one relationship between these groups and the
resources they are permitted to. one folder may be permitted to multiple
groups, but only to enable different types of permissions, namely readonly
vs read/write).
--- any folder permitted to a group will have all of its contained folders
inheriting the same permission.
--- these resource permission groups will contain other groups, but they
will not be members of any other groups.

If the assignment of permissions in your organization is more adhoc, that
will make things more complicated. There might be some benefit in migrating
the current configuration to a more manageable one along the lines of ours,
using the same procedure we did:

step1:
folder abc permitted read/write to groups xyz1, xyz2, xyz3
folder def  permitted read/writeto groups xyz1, xyz2, xyz4, and readonly to
xyz3

step2:
create group abc-W containing xyz1, xyz2, xyz3
create group def-W containing xyz1, xyz2, xyz4,
create group def-R containing xyz3

step3:
permit folder abc read/write to group abc-W
permit folder def read/write to group def-W
permit folder def readonly to group def-R

step4: after a few days:
remove original permissions from folders abc, def.

The effective permissions (who can access what, and how) will remain
unchanged, however, ALL further changes to permissions will be done only by
modifying group membership. Of course, in order to perform the above steps,
you first need to determine all the permissions that exist. We did that by
filtering the output of cacls.exe. Our main issue was to identify
permissions to individual accounts.

All through the process we consulted with the user community to determine
which permissions were obsolete, and which folders were obsolete. We
identified quite a few folders as likely obsolete by the fact that the most
recent modify date of the files was years ago. We basically went from an
adhoc permission arrangement to something more generic, as we also looked
for ways to generify group membership according to such factors as:
deparmental affiliation, committee membership, application usership, and
etc.

Of course, we were only dealing with a single server at a site of about 350
users for whom we are also the local IT support group. You have more
servers, and if you are the central IT organization you might not have as
close a relationship with the users, nor the time to work that way.

I didn't answer your question directly, but hopefully you will find some
benefit from my comments.

/Al

Text File Compare
How to ping multiple hosts via a script
script to copy user profile!!
Scripts in Vista
reading a "counter" file and incrementing based on # in file.