You can do this script stuff that you will be able to reuse with 2000/2003 AD.
install wmi on the nT4 PDC. That's allow to run vbs (see richard mueller web site http://www.rlmueller.net/freecode3.htm) Add extra feature to create unique file per group with the group name as file name Build simple text file group name;owner smtp address Create a script having this logic. Open the simple text file as dictionnary For each itemi Send itemi to itemii Hope this help Cheers christophe -----Original Message----- From: Desai, Manish [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 5:25 PM To: Stephen Hefner; [EMAIL PROTECTED]; focus-ms@securityfocus.com Subject: RE: Automate group membership validation You can use Dumpsec tool to generate group membership , owner information and permissions , However you will have manually email this information which the owners can validate . HTH . Cheers Manish Desai ======================================================================== =============================== -----Original Message----- From: Stephen Hefner [mailto:[EMAIL PROTECTED] Sent: Saturday, March 11, 2006 11:08 AM To: [EMAIL PROTECTED]; focus-ms@securityfocus.com Subject: RE: Automate group membership validation You could script solution 3. For instance you could use the showmbrs or showlocal tools in the resource kit Showmbrs \\servers1\somegroup >> ownername.txt I'm not as familiar with the script to send it via email but one of my coworkers does that automated emailing all the time through scripts. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 6:58 AM To: focus-ms@securityfocus.com Subject: Automate group membership validation Hi, The company for which I work has a security policy that I have to comply with. According to this policy, all grouplist providing access to shared information must be reviewed every 6 months. I have about 100 different folders, on only one file server, with different NTFS permissions to manage. Each of those folders has a owner, and the owners have the responsability to review who can access their folders. The security on each folder contains only one group of users and each group is only assigned to one folder. For example, the folder "folder01" would only have the "folder01group" group assigned to the folder with Modify permissions. The different ACLs are only applied on the root of these folders - so the folder "folder01\subfolder01" will have the same permissions has its parent (folder01group has Modify permissions). The domain we are using right now is running on NT domain controllers, but we are planning to migrate to AD soon. The file server is running Windows 2000. Now, what I would like to find is a way to automate the management of those permissions. Here are some of the solutions could help me with complying with the new policy : Solution example number 1 : The owners of the different folders go on some website (or maybe on some other software on a share). They logon using some username and password, and then they can view the members of the different user groups associated with the folders that they manage. They can validate the group and maybe send an e-mail to the Help Desk so we can remove the users. Solution example number 2 : Same as solution 1, except that they can now manage the removal of users in their groups (the right would be delegated through AD). However, I don't want them to have to use some user manager. They have to get an easy interface where all they see is the folders names and users names. Solution example number 3 : Some software running somewhere extracts the group membership and send e-mails to the owners of the folders each month. Anyone here is using a similar setup, or anything similar that could help me comply with this policy? Or anyone knows some tools that could help me? Regards, B. Fortin ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
