Jump to content



Photo

Active Directory Permissions Map // Software Required


  • Please log in to reply
12 replies to this topic

#1 shine_victim

shine_victim

    Neowinian

  • Joined: 09-March 05
  • Location: Belfast

Posted 18 September 2013 - 10:03

Hi all,

 

Need some information, recommendations!

 

I am looking for an app that will allow me to map out our folder structure that we can host on our intranet, or on a document.

 

What I want to achieve is, to map out directory structure, when a user clicks on a certain folder/folder level then they will be told what group they need to be in to access this folder etc.

 

My web development skills are as good as my Greek Mythology.....Non existent!  But happy to go this route if needs-be.

 

Any information would be great.

 

Thanks in advance all.




#2 Nick H.

Nick H.

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 28-June 04
  • Location: Switzerland

Posted 18 September 2013 - 10:07

I can't help on the software front, I'm afraid, but I'm curious as to why you would want to do this? The users could right-click on the folder and check the properties for the groups that have access, or - and this is how we do it - they just send a request saying, "I want to access folder X" and we check the permissions for them. What kind of advantages can you see with your idea? I'm not knocking it at all, I'm just curious.

#3 OP shine_victim

shine_victim

    Neowinian

  • Joined: 09-March 05
  • Location: Belfast

Posted 18 September 2013 - 11:13

Believe me Intrinsica what you had outlined would have been the our preference also, BUT the powers that be wanted the right-click ability within our Citrix environment completely disabled!

 

They have now come up with the ingenious idea of us developing this "Permissions Map" so users can open the application, click on a folder/directory and find out what groups have access to each folder.

 

Sometimes I wonder what I have done in a previous life that has resulted in me having to take technical specifications/designs from number crunchers!

 

I am thinking maybe something in Visual Basic may help me out!



#4 StrikedOut

StrikedOut

    Outside the box

  • Joined: 09-December 08
  • Location: Southampton

Posted 18 September 2013 - 12:35

Unfortunately in the world of IT we are at the mercy of those higher paid yet ignorant to what they really need. It almost seems to me that they are not quite sure of what they want or are trying to achieve. I would make sure that they are clear on why they are asking for this and what the are trying to achieve with it.



#5 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 September 2013 - 12:53

What????

 

Users should not have access to that at all. Here is a powershell script that I run to get the information needed, this will put it in an aesthetically pleasing excel looking window. 

 

get-childitem "c:\datafolder" | where{$_.psiscontainer} | get-acl | Out-Gridview



#6 Nick H.

Nick H.

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 28-June 04
  • Location: Switzerland

Posted 18 September 2013 - 13:32

Users should not have access to that at all.

I'm not sure I follow. Why shouldn't users be able to look at what permissions they would need to ask for in order to gain access to a folder? There's no sensitive information being given to them. In fact they already have this ability by right-clicking on a folder and selecting the "security" tab, don't they?

#7 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 September 2013 - 13:39

Users should not see anything that they do not have access to therefore users should not be able to request access to said folders. Managers who are in charge of the folders or content in said folders should make the request for the user to have access.

Users should not be allowed to request access to IT, it is up to the owner to give permission. IT does not own the content, they manage the permissions. IT should have controls to be able to easily identify groups and rights for folder access.

#8 Nick H.

Nick H.

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 28-June 04
  • Location: Switzerland

Posted 18 September 2013 - 14:24

But how does seeing the name of a folder cause any sort of security issue?

As for being allowed to request access to IT, of course they can. However there needs to be some sort of security in place, as like you said you can't go granting access to something without the owner's permission. In our case here, we have a folder request form which lists each of the owners of each folder. The users are told that the form must have the signature of the folder's owner, otherwise we deny the request.

#9 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 September 2013 - 14:33

If the user doesn't know it is there they won't question it or try to get into it and therefore the folder owner has the ability to hide in plain sight. We have controls in place to hide folders in drives if you do not have access to said folders. The manager who does can request access for the individual to have access. It is the same with anything, if you don't know you won't ask.

The user will not have access to run the powershell to be able to run the script. Which needs to be done on the server.

Someone in my company asked for everything in a particular folder, this includes performance reviews, the manager blindly said yes to all folder access and now I am waiting for crap to hit the fan. The performance reviews folder is hidden from all users but the manager and his secretary... I didnt question because I want him to learn a lesson on not just blindly giving access like he always does.

#10 Nick H.

Nick H.

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 28-June 04
  • Location: Switzerland

Posted 18 September 2013 - 15:04

Actually that does remind me of several occasions where someone has requested access to an application, we've then asked them why they need to access it and they reply with, "I don't know, I was just told I needed it." Sorry, that's not a business justification. :laugh:

Back to the discussion, I guess at the end of the day there are multiple ways to do things depending on the needs. Your company appears to be more security conscious than mine, although that's changing for us as time goes on.

#11 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 September 2013 - 16:14

Just as an example so that everyone can see what we are talking about.  A folder is shared and is called operations, a drive is mapped called O.  The structure looks like this

 

O:\daily activities

O:\public

O:\hello

O:\thisisafolder\thisisasecurefolder

 

In active directory we have a folder permission OU, and in that folder permission OU we have groups.  The groups are defined, Operations_daily_activities, Operations_public, Operations_hello, Operations_thisisafolder, Operations_thisisasecurefolder.

 

By default all users in operations have access to public, but the rest of the folders are only able to be seen and accessed if you are in the proper group...and even still we have readonly groups and readwrite groups for those folders so we go even more granular than my example given.  So say someone wants to have daily activities, when the browse the O drive they will see the following:

 

O:\daily activities

O:\public

 

All other folders will seem to not exist for that specific user, while the manager will have access to everything.  We even have folders within folders that are locked out so they can't see anything in the above folders because they do not have access to the above folders, they just see the structure of O:\thisisafolder\thisisasecurefolder\ then they see all of the files and folders under this directory.  This is all done with active directory permissions, there is no special software needed other than a 2008 windows server.

 

IT needs to have controls to be able to properly assign folders easily.  They define the controls needed in active directory, we (on this board) cannot do this for them.  I have given you an example of such controls to use to help make ITs life easy.



#12 OP shine_victim

shine_victim

    Neowinian

  • Joined: 09-March 05
  • Location: Belfast

Posted 19 September 2013 - 10:08

This is perfect sc302.

 

I will check this avenue out and see how we get on.

 

get-childitem "c:\datafolder" | where{$_.psiscontainer} | get-acl | Out-Gridview

 

Thanks all for your feedback!



#13 Redmak

Redmak

    Neowinian Senior

  • Tech Issues Solved: 35
  • Joined: 09-July 01
  • Location: Netherlands
  • OS: Windows 8
  • Phone: HTC One

Posted 19 September 2013 - 11:13

Dumpsec may work for you

 

http://www.systemtoo...soft/index.html





Click here to login or here to register to remove this ad, it's free!