You could script solution 3. For instance you could use the showmbrs or showlocal tools in the resource kit
Showmbrs \\servers1\somegroup >> ownername.txt I'm not as familiar with the script to send it via email but one of my coworkers does that automated emailing all the time through scripts. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 6:58 AM To: [email protected] Subject: Automate group membership validation Hi, The company for which I work has a security policy that I have to comply with. According to this policy, all grouplist providing access to shared information must be reviewed every 6 months. I have about 100 different folders, on only one file server, with different NTFS permissions to manage. Each of those folders has a owner, and the owners have the responsability to review who can access their folders. The security on each folder contains only one group of users and each group is only assigned to one folder. For example, the folder "folder01" would only have the "folder01group" group assigned to the folder with Modify permissions. The different ACLs are only applied on the root of these folders - so the folder "folder01\subfolder01" will have the same permissions has its parent (folder01group has Modify permissions). The domain we are using right now is running on NT domain controllers, but we are planning to migrate to AD soon. The file server is running Windows 2000. Now, what I would like to find is a way to automate the management of those permissions. Here are some of the solutions could help me with complying with the new policy : Solution example number 1 : The owners of the different folders go on some website (or maybe on some other software on a share). They logon using some username and password, and then they can view the members of the different user groups associated with the folders that they manage. They can validate the group and maybe send an e-mail to the Help Desk so we can remove the users. Solution example number 2 : Same as solution 1, except that they can now manage the removal of users in their groups (the right would be delegated through AD). However, I don't want them to have to use some user manager. They have to get an easy interface where all they see is the folders names and users names. Solution example number 3 : Some software running somewhere extracts the group membership and send e-mails to the owners of the folders each month. Anyone here is using a similar setup, or anything similar that could help me comply with this policy? Or anyone knows some tools that could help me? Regards, B. Fortin --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
