DodgeViper Posted June 23, 2010 Share Posted June 23, 2010 I'm trying to get a list of what a user is member of i.e. permissions, directory access, groups etc. I've tried using dsquery but when I run the command "dsquery user" it lists all the users in the domain, but how can I get it to list info about a specific user? Link to comment https://www.neowin.net/forum/topic/913348-using-dsquery-to-find-member-of-in-ad/ Share on other sites More sharing options...
sc302 Veteran Posted June 23, 2010 Veteran Share Posted June 23, 2010 I think you want to use dsget. but I don't think it will do what you are looking for. what you want are two different things. One is to scan active directory for group membership the other is to scan folders for directory accessability/permissions. This is where network design really comes into play and understanding how to build one. It sounds as if you are taking over someone elses mess and trying to figure it out, all I can say is get your clicker going. Take a look at what is being shared. You can use the perms command to be able to see what permissions x user has over the computer/server. perms is part of the 2003 resource kit which is free to dl from microsoft. There is probably a third party tool that has the capability you are looking for, and it will more than likely cost. How I would do it is look at the groups, find out the members of each group, find out what these members need access to. Look at the shares, see who has access to each share (this can be done by right clicking on my computer and clicking on manage, going into shared folders, then going into shares you can easily see all of the shares on one computer and you can easily manage the shares from here). It is a lot of work, but so is reading a text file and figuring out how to create said text file. Bottom line, it isn't easy, I have done this hundreds of times over (taking over a mess). Link to comment https://www.neowin.net/forum/topic/913348-using-dsquery-to-find-member-of-in-ad/#findComment-592802172 Share on other sites More sharing options...
-Viper- Posted June 23, 2010 Share Posted June 23, 2010 you need to pipe your commands... try something like this dsquery user -name "*UserName*" | dsget user -memberOf what this will do it query AD for a specific user and take the output of that and list what groups the user is a member of. if you do dsget user /? it will give you everything you can get about the user as well. Hope that helps Link to comment https://www.neowin.net/forum/topic/913348-using-dsquery-to-find-member-of-in-ad/#findComment-592802212 Share on other sites More sharing options...
+BudMan MVC Posted June 23, 2010 MVC Share Posted June 23, 2010 I think point sc302 was trying to make - is sure you can find the group memberships of a user, but that is not going to tell you where those groups have permissions or what they are, etc. You might want to check out http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx and http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx Link to comment https://www.neowin.net/forum/topic/913348-using-dsquery-to-find-member-of-in-ad/#findComment-592803354 Share on other sites More sharing options...
sc302 Veteran Posted June 23, 2010 Veteran Share Posted June 23, 2010 On 23/06/2010 at 16:12, BudMan said: I think point sc302 was trying to make - is sure you can find the group memberships of a user, but that is not going to tell you where those groups have permissions or what they are, etc. You might want to check out http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx and http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx was I not clear on that? Link to comment https://www.neowin.net/forum/topic/913348-using-dsquery-to-find-member-of-in-ad/#findComment-592803388 Share on other sites More sharing options...
+BudMan MVC Posted June 23, 2010 MVC Share Posted June 23, 2010 No you were clear, atleast to me - but I took it as the other poster did not catch the meaning of your post, atleast he made no mention that group membership will not give him what I took as what the user was after. "permissions, directory access, groups etc." Link to comment https://www.neowin.net/forum/topic/913348-using-dsquery-to-find-member-of-in-ad/#findComment-592803772 Share on other sites More sharing options...
-Viper- Posted June 24, 2010 Share Posted June 24, 2010 Sorry, I was just trying to imply that what I gave him would give him everything he needed, more that he did not want to get a listing of everyone in the domain, but rather one user. I will go back to my corner and be quiet. Link to comment https://www.neowin.net/forum/topic/913348-using-dsquery-to-find-member-of-in-ad/#findComment-592809808 Share on other sites More sharing options...
Recommended Posts