Re: Finding unused/dead groups?

[Jeff Steward]

I'm not using DFS for redundancy or replication but for the namespace, so my
shares look like \\myorg.com\Public\Apps.  The advantage for me is that I
don't have to change update scripts or worry about server renames, I just
update the DFS to point to the share(s) as needed.  I find this particularly
useful so that network installs of say Office don't break over time.  Also,
separating the server name from the share gives a more consistent naming
approach to network resources.

"What would I name the RG’s? FWIW we have more than one server using the
share name “Applications” (don’t ask…)."  Okay.I won't ask.

Presumably there is some logic/reasoning behind this and you will have to
identify a naming scheme that makes sense for your organization.  Let's
pretend for a moment that SERVER-1 is used by the Engineering group.  Due to
your current naming convention, you will have to do some work figuring out
appropriate names.

Server1 has a resource ( a share) named Applications currently shared as
\\Server1\Applications

Create the groups and assign permissions as shown.

RG_ENG_Applications   *Full control permissions*
RG_ENG_ApplicationsRead  *Read only permissions*
RG_ENG_ApplicationsModify *Modify permissions*

Where convenient mappings don't exist for adding groups to the above RG_
group, you can create another set of groups if needed:

AG_ENG_Applications
AG_ENG_ApplicationsRead

Use these groups to add your one off type users such as an administrative
assistant who is assisting the Engineering group, but you don't want to add
for example all admin assistants.

This methodology requires more upfront work, but saves work over the long
haul.  Using DFS namespace for shares also reduces maintenance over the long
haul and may provide other benefits depending on your organizational needs.

-Jeff Steward


On Mon, Aug 30, 2010 at 12:59 PM, David Lum  wrote:

>  No DFS here – they use clusters and SANs to achieve their desired
> redundancy.
>
>
>
> I’m trying to wrap around how I would apply this at %dayjob%. For example,
> I have one server here that I have 14 security groups for example:
>
> SERVER1-Applications
>
> SERVER1-Applications-Planning
>
> SERVER1-Applications-Planning-2010
>
> SERVER1-Applications-Planning-2010-Readonly
>
> SERVER1-Executive
>
> SERVER1-Shared
>
> SERVER1-Shared-Development
>
> Etc
>
>
>
> What would I name the RG’s? FWIW we have more than one server using the
> share name “Applications” (don’t ask…).
>
>
>
> Dave
>
>
>
> *From:* Jeff Steward [mailto:jstew...@gmail.com]
> *Sent:* Monday, August 30, 2010 9:15 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Finding unused/dead groups?
>
>
>
> Link to discussion of AG/RG method:
> http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx
>
>
>
> It may be helpful to preface your security group names with AG_  RG_  ACL_
> to differentiate between the group types.
>
>
>
> -Jeff Steward
>
> On Mon, Aug 30, 2010 at 12:06 PM, Andrew S. Baker 
> wrote:
>
> +1
>
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
>
> On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer 
> wrote:
>
>  For scalability you should use an Authorisation Group -> Resource Group
> strategy.
>
> Your AGs are based on teams or departments. Your RGs are assigned to the
> ACLs for each resource. You put your AGs into your RGs. This makes
> provisioning/deprovisioning simple.
>
> Your RGs probably shouldn't have the server name embedded. You use DFS-N
> right? So, the RG can be based on the share name and the type of access.
>
> For really small environments your strategy can work, but it won't scale.
>
> Cheers
> Ken
>
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
>
> Sent: Monday, 30 August 2010 11:48 PM
> To: NT System Admin Issues
>
> Subject: RE: Finding unused/dead groups?
>
> In no environment (of six that I manage) have I moved servers outright
> where this would be an issue, replacement file servers (quite rare in fact)
> inherit the same name and new servers get new groups.
>
> Having said that, you do bring up a good point to consider going forward.
> Is it possible to script changing AD group names in bulk? If I had 20 group
> names that started SERVER1_ change them to SERVER2_ ?
>
> If not server names, what do you use for an AD group name used to accessing
> file shares?
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, August 18, 2010 3:08 PM
> To: NT System Admin Issues
> Subject: Re: Finding unused/dead gro

RE: Finding unused/dead groups?

[David Lum]

No DFS here - they use clusters and SANs to achieve their desired redundancy.

I'm trying to wrap around how I would apply this at %dayjob%. For example, I 
have one server here that I have 14 security groups for example:
SERVER1-Applications
SERVER1-Applications-Planning
SERVER1-Applications-Planning-2010
SERVER1-Applications-Planning-2010-Readonly
SERVER1-Executive
SERVER1-Shared
SERVER1-Shared-Development
Etc

What would I name the RG's? FWIW we have more than one server using the share 
name "Applications" (don't ask...).

Dave

From: Jeff Steward [mailto:jstew...@gmail.com]
Sent: Monday, August 30, 2010 9:15 AM
To: NT System Admin Issues
Subject: Re: Finding unused/dead groups?

Link to discussion of AG/RG method:  
http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx

It may be helpful to preface your security group names with AG_  RG_  ACL_ to 
differentiate between the group types.

-Jeff Steward
On Mon, Aug 30, 2010 at 12:06 PM, Andrew S. Baker 
mailto:asbz...@gmail.com>> wrote:
+1

ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer 
mailto:k...@adopenstatic.com>> wrote:
For scalability you should use an Authorisation Group -> Resource Group 
strategy.

Your AGs are based on teams or departments. Your RGs are assigned to the ACLs 
for each resource. You put your AGs into your RGs. This makes 
provisioning/deprovisioning simple.

Your RGs probably shouldn't have the server name embedded. You use DFS-N right? 
So, the RG can be based on the share name and the type of access.

For really small environments your strategy can work, but it won't scale.

Cheers
Ken

-Original Message-
From: David Lum [mailto:david@nwea.org<mailto:david@nwea.org>]
Sent: Monday, 30 August 2010 11:48 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

In no environment (of six that I manage) have I moved servers outright where 
this would be an issue, replacement file servers (quite rare in fact) inherit 
the same name and new servers get new groups.

Having said that, you do bring up a good point to consider going forward. Is it 
possible to script changing AD group names in bulk? If I had 20 group names 
that started SERVER1_ change them to SERVER2_ ?

If not server names, what do you use for an AD group name used to accessing 
file shares?

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com<mailto:mailvor...@gmail.com>]
Sent: Wednesday, August 18, 2010 3:08 PM
To: NT System Admin Issues
Subject: Re: Finding unused/dead groups?

On Wed, Aug 18, 2010 at 5:54 PM, David Lum 
mailto:david@nwea.org>> wrote:
> Not to mention our group name itself is in the form of
> __

 I don't like that because it means if you move servers your group names either 
change or become misleading.

 But we otherwise do something similar.  Things like "QMS Doc Editors" and "QMS 
Doc Readers".

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


---
You are currently subscribed to ntsysadmin as: 
david@nwea.org<mailto:david@nwea.org>.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8067386.9ba9124c64785c7a6c24608e24352b78&n=T&l=ntsysadmin&o=9079487
(It may be necessary to cut and paste the above URL if the line is broken)
or send a blank email to 
leave-9079487-8067386.9ba9124c64785c7a6c24608e24352...@lyris.sunbelt-software.com<mailto:leave-9079487-8067386.9ba9124c64785c7a6c24608e24352...@lyris.sunbelt-software.com>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079542
or send a blank email to 
leave-9079542-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

Re: Finding unused/dead groups?

[Jeff Steward]

Link to discussion of AG/RG method:
http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx

It may be helpful to preface your security group names with AG_  RG_  ACL_
to differentiate between the group types.

<http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx>-Jeff
Steward

On Mon, Aug 30, 2010 at 12:06 PM, Andrew S. Baker  wrote:

> +1
>
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
> On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer wrote:
>
>> For scalability you should use an Authorisation Group -> Resource Group
>> strategy.
>>
>> Your AGs are based on teams or departments. Your RGs are assigned to the
>> ACLs for each resource. You put your AGs into your RGs. This makes
>> provisioning/deprovisioning simple.
>>
>> Your RGs probably shouldn't have the server name embedded. You use DFS-N
>> right? So, the RG can be based on the share name and the type of access.
>>
>> For really small environments your strategy can work, but it won't scale.
>>
>> Cheers
>> Ken
>>
>> -Original Message-----
>> From: David Lum [mailto:david@nwea.org]
>> Sent: Monday, 30 August 2010 11:48 PM
>> To: NT System Admin Issues
>> Subject: RE: Finding unused/dead groups?
>>
>> In no environment (of six that I manage) have I moved servers outright
>> where this would be an issue, replacement file servers (quite rare in fact)
>> inherit the same name and new servers get new groups.
>>
>> Having said that, you do bring up a good point to consider going forward.
>> Is it possible to script changing AD group names in bulk? If I had 20 group
>> names that started SERVER1_ change them to SERVER2_ ?
>>
>> If not server names, what do you use for an AD group name used to
>> accessing file shares?
>>
>> Dave
>>
>> -Original Message-
>> From: Ben Scott [mailto:mailvor...@gmail.com]
>> Sent: Wednesday, August 18, 2010 3:08 PM
>> To: NT System Admin Issues
>> Subject: Re: Finding unused/dead groups?
>>
>> On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
>> > Not to mention our group name itself is in the form of
>> > __
>>
>>  I don't like that because it means if you move servers your group names
>> either change or become misleading.
>>
>>  But we otherwise do something similar.  Things like "QMS Doc Editors" and
>> "QMS Doc Readers".
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079487
or send a blank email to 
leave-9079487-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

Re: Finding unused/dead groups?

[Andrew S. Baker]

+1


*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *
On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer  wrote:

> For scalability you should use an Authorisation Group -> Resource Group
> strategy.
>
> Your AGs are based on teams or departments. Your RGs are assigned to the
> ACLs for each resource. You put your AGs into your RGs. This makes
> provisioning/deprovisioning simple.
>
> Your RGs probably shouldn't have the server name embedded. You use DFS-N
> right? So, the RG can be based on the share name and the type of access.
>
> For really small environments your strategy can work, but it won't scale.
>
> Cheers
> Ken
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Sent: Monday, 30 August 2010 11:48 PM
> To: NT System Admin Issues
> Subject: RE: Finding unused/dead groups?
>
> In no environment (of six that I manage) have I moved servers outright
> where this would be an issue, replacement file servers (quite rare in fact)
> inherit the same name and new servers get new groups.
>
> Having said that, you do bring up a good point to consider going forward.
> Is it possible to script changing AD group names in bulk? If I had 20 group
> names that started SERVER1_ change them to SERVER2_ ?
>
> If not server names, what do you use for an AD group name used to accessing
> file shares?
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, August 18, 2010 3:08 PM
> To: NT System Admin Issues
> Subject: Re: Finding unused/dead groups?
>
> On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
> > Not to mention our group name itself is in the form of
> > __
>
>  I don't like that because it means if you move servers your group names
> either change or become misleading.
>
>  But we otherwise do something similar.  Things like "QMS Doc Editors" and
> "QMS Doc Readers".
>
> -- Ben
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079475
or send a blank email to 
leave-9079475-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

RE: Finding unused/dead groups?

[tony patton]

We use a structure similar to the following:

Root
\3a_Dept1
 \3a1_Team1
  \3a1.01_Folder1
  \3a1.02_Folder2
 \3a2_Team2
  \3a2.01_Folder1
  \3a2.02_Folder2
\3b_Dept2
 \3b1_Team1
  \3b1.01_Folder

AD groups are 3a1.01_Read, 3a1.01_Write, etc so users can be given 
different access to different areas of the FS.
We also have top level groups such as 3a2_read/_write, 3a_read/_write.

Since I've been here (over 3 1/2 years) we have gone through 2 physical 
servers and now onto Netapps.

This type of structure may not work for most orgs tho.

Regards

Tony Patton
Desktop Support Analyst - Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



From:   David Lum 
To: "NT System Admin Issues" 
Date:   30/08/2010 16:48
Subject:    RE: Finding unused/dead groups?



In no environment (of six that I manage) have I moved servers outright 
where this would be an issue, replacement file servers (quite rare in 
fact) inherit the same name and new servers get new groups. 

Having said that, you do bring up a good point to consider going forward. 
Is it possible to script changing AD group names in bulk? If I had 20 
group names that started SERVER1_ change them to SERVER2_ ?

If not server names, what do you use for an AD group name used to 
accessing file shares?

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, August 18, 2010 3:08 PM
To: NT System Admin Issues
Subject: Re: Finding unused/dead groups?

On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
> Not to mention our group name itself is in the form of 
__

  I don't like that because it means if you move servers your group
names either change or become misleading.

  But we otherwise do something similar.  Things like "QMS Doc
Editors" and "QMS Doc Readers".

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: 
tony.pat...@quinn-insurance.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8225233.6d2293e8a6119ffc63fa3f71195af154&n=T&l=ntsysadmin&o=9079448

or send a blank email to 
leave-9079448-8225233.6d2293e8a6119ffc63fa3f71195af...@lyris.sunbelt-software.com

This e-mail is intended only for the addressee named above. The contents should 
not be copied nor disclosed to any other person. Any views or opinions 
expressed are solely those of the sender and do not necessarily represent those 
of QUINN-Insurance Limited (Under Administration), unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance Limited (Under Administration) is not responsible for the 
contents of this message nor
responsible for any change made to this message after it was sent by the 
original sender. Although virus scanning is used on all inbound and outbound 
e-mail, we advise you to carry out your own virus check before opening any 
attachment. We cannot accept liability for any damage sustained as a result of 
any software viruses.



QUINN-Insurance Limited (Under Administration) is regulated by the Financial 
Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.



QUINN-Insurance Limited (Under Administration) is registered in Ireland, 
registration number
240768 and is a private company limited by shares. 
Its head office is at Dublin Road, Cavan, Co. Cavan.




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information.  If you have received it in 
error, please notify the sender immediately and delete the original.  Any other 
use of the email by you is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079474
or send a blank email to 
leave-9079474-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

Re: Finding unused/dead groups?

[Ben Scott]

On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
>> Not to mention our group name itself is in the form of 
>> __

Ben replied:
> I don't like that because it means if you move servers your group
> names either change or become misleading.
>
>  But we otherwise do something similar.  Things like "QMS Doc
> Editors" and "QMS Doc Readers".

Much later, on Mon, Aug 30, 2010 at 11:48 AM, David Lum
 wrote:
> Having said that, you do bring up a good point to consider
> going forward. Is it possible to script changing AD group
> names in bulk?

  I'm sure it can.   I would probabbly use some combination of a dump
of group names, a text search-and-replace, ADMOD, and/or a batch file.
  You can get ADMOD from
.

  I'd bet good money that PowerShell could do it, too.  (And that MBS
knows how.  ;-)  )

> If not server names, what do you use for an AD group name used to
> accessing file shares?

  Well, to continue my example, we have a share called "QMSDocs" (it's
got our Quality Management System  (ISO-9000/AS-9100) controlled
documents in it).  So we have those groups for "QMS Doc Editors" and
"QMS Doc Readers".  Editors can make changes, readers can, well, read,
and everybody else gets nothing.  Our company group that everyone is a
member of is a member of "QMS Doc Readers", along with a special guess
account used by auditors.  Our "Senior QA Staff" group is a member of
"QMS Doc Writers".

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079469
or send a blank email to 
leave-9079469-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

Re: Finding unused/dead groups?

[Jeff Steward]

I use the DFS namespace to eliminate that issue and use descriptive names
for groups.

-Jeff Steward

On Mon, Aug 30, 2010 at 11:48 AM, David Lum  wrote:

> In no environment (of six that I manage) have I moved servers outright
> where this would be an issue, replacement file servers (quite rare in fact)
> inherit the same name and new servers get new groups.
>
> Having said that, you do bring up a good point to consider going forward.
> Is it possible to script changing AD group names in bulk? If I had 20 group
> names that started SERVER1_ change them to SERVER2_ ?
>
> If not server names, what do you use for an AD group name used to accessing
> file shares?
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, August 18, 2010 3:08 PM
> To: NT System Admin Issues
> Subject: Re: Finding unused/dead groups?
>
> On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
> > Not to mention our group name itself is in the form of
> __
>
>  I don't like that because it means if you move servers your group
> names either change or become misleading.
>
>  But we otherwise do something similar.  Things like "QMS Doc
> Editors" and "QMS Doc Readers".
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> You are currently subscribed to ntsysadmin as: jstew...@gmail.com.
> To unsubscribe click here:
> http://lyris.sunbelt-software.com/u?id=8250068.606d17937843617f86ab4441e27acc58&n=T&l=ntsysadmin&o=9079448
> or send a blank email to
> leave-9079448-8250068.606d17937843617f86ab4441e27ac...@lyris.sunbelt-software.com
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079467
or send a blank email to 
leave-9079467-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

RE: Finding unused/dead groups?

[Ken Schaefer]

For scalability you should use an Authorisation Group -> Resource Group 
strategy.

Your AGs are based on teams or departments. Your RGs are assigned to the ACLs 
for each resource. You put your AGs into your RGs. This makes 
provisioning/deprovisioning simple.

Your RGs probably shouldn't have the server name embedded. You use DFS-N right? 
So, the RG can be based on the share name and the type of access.

For really small environments your strategy can work, but it won't scale.

Cheers
Ken 

-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Monday, 30 August 2010 11:48 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

In no environment (of six that I manage) have I moved servers outright where 
this would be an issue, replacement file servers (quite rare in fact) inherit 
the same name and new servers get new groups. 

Having said that, you do bring up a good point to consider going forward. Is it 
possible to script changing AD group names in bulk? If I had 20 group names 
that started SERVER1_ change them to SERVER2_ ?

If not server names, what do you use for an AD group name used to accessing 
file shares?

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, August 18, 2010 3:08 PM
To: NT System Admin Issues
Subject: Re: Finding unused/dead groups?

On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
> Not to mention our group name itself is in the form of 
> __

  I don't like that because it means if you move servers your group names 
either change or become misleading.

  But we otherwise do something similar.  Things like "QMS Doc Editors" and 
"QMS Doc Readers".

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: k...@adopenstatic.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=4624534.8cf8ec89c55b059d3d64e25ae6780307&n=T&l=ntsysadmin&o=9079448
or send a blank email to 
leave-9079448-4624534.8cf8ec89c55b059d3d64e25ae6780...@lyris.sunbelt-software.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079464
or send a blank email to 
leave-9079464-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

RE: Finding unused/dead groups?

[David Lum]

In no environment (of six that I manage) have I moved servers outright where 
this would be an issue, replacement file servers (quite rare in fact) inherit 
the same name and new servers get new groups. 

Having said that, you do bring up a good point to consider going forward. Is it 
possible to script changing AD group names in bulk? If I had 20 group names 
that started SERVER1_ change them to SERVER2_ ?

If not server names, what do you use for an AD group name used to accessing 
file shares?

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, August 18, 2010 3:08 PM
To: NT System Admin Issues
Subject: Re: Finding unused/dead groups?

On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
> Not to mention our group name itself is in the form of __

  I don't like that because it means if you move servers your group
names either change or become misleading.

  But we otherwise do something similar.  Things like "QMS Doc
Editors" and "QMS Doc Readers".

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1&n=T&l=ntsysadmin&o=9079448
or send a blank email to 
leave-9079448-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

RE: Finding unused/dead groups?

[Free, Bob]

First hit I had on Varonis I saw this- " DatAdvantage is priced based on the 
number of users; licenses for typical installations of one to 250 users start 
at $25,000." Maybe that is really representative, maybe not. It does look 
pretty cool nonetheless. Quest is not so expensive compared to that if I have 
to add a couple of zeros :-] 

We actually had an offer to try their product in this space (Access Manager) 
for one year for free from one of their VPs, if we ever find the spare cycles 
it would be a great project.

Just spent 3 days in a room with them and a bunch of our folks doing a POC 
looking at pulling our *NIX machines into AD with the QAS product...that was an 
interesting exercise especially from the *NIX admins perspective of going from 
maintaining >1K auth stores individually to a single identity & set of groups 
in AD.

Thread hijack but if anyone has experience with any of the big players in that 
space (AD/*NIX integration & privilege mgmt) I'd love to hear opinions, on or 
offline is fine. 

--bob

-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Thursday, August 19, 2010 4:43 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

Honestly, no clue.

I've labbed with quite a few Quest tools, but the only ones I've actually used 
are the NetWare migrator and GroupWise migrator. For the SMORG space they tend 
to be inordinately expensive, and that's where I "play".

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Free, Bob [mailto:r...@pge.com] 
Sent: Thursday, August 19, 2010 7:32 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I wonder how that product compares with Quest's solution.

-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 18, 2010 12:38 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I've got a customer that uses a tool by Varonis to track group usage. I'm 
ambivalent (not sure it provides equivalent value), but they like it, so that's 
all that matters. You might give it a look.

NetWrix also has some tools in this space.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Wednesday, August 18, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I never would have thought of that - I should be able to use admodify to bulk 
hide the groups from the GAL.

Be interested in any other options simply as it's always good to know there's 
more than one way to skin a cat, but that sounds like a plan so thanks for that 
Brian.

Michael - A typical example is a folder gets created for a project, group(s) 
gets created and assigned to the folder permissions, project dies and gets 
deleted, groups don't.

Sometimes it's my fault, sometimes it's a subfolder of a top level folder so 
the users delete them - most of the time my naming structure makes it obvious 
if a group is still relevant, but it would be good to have a "cooling off" 
period before deleting.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Finding unused/dead groups?

[Michael B. Smith]

Honestly, no clue.

I've labbed with quite a few Quest tools, but the only ones I've actually used 
are the NetWare migrator and GroupWise migrator. For the SMORG space they tend 
to be inordinately expensive, and that's where I "play".

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Free, Bob [mailto:r...@pge.com] 
Sent: Thursday, August 19, 2010 7:32 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I wonder how that product compares with Quest's solution.

-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 18, 2010 12:38 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I've got a customer that uses a tool by Varonis to track group usage. I'm 
ambivalent (not sure it provides equivalent value), but they like it, so that's 
all that matters. You might give it a look.

NetWrix also has some tools in this space.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Wednesday, August 18, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I never would have thought of that - I should be able to use admodify to bulk 
hide the groups from the GAL.

Be interested in any other options simply as it's always good to know there's 
more than one way to skin a cat, but that sounds like a plan so thanks for that 
Brian.

Michael - A typical example is a folder gets created for a project, group(s) 
gets created and assigned to the folder permissions, project dies and gets 
deleted, groups don't.

Sometimes it's my fault, sometimes it's a subfolder of a top level folder so 
the users delete them - most of the time my naming structure makes it obvious 
if a group is still relevant, but it would be good to have a "cooling off" 
period before deleting.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Finding unused/dead groups?

[Free, Bob]

I wonder how that product compares with Quest's solution.

-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 18, 2010 12:38 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I've got a customer that uses a tool by Varonis to track group usage. I'm 
ambivalent (not sure it provides equivalent value), but they like it, so that's 
all that matters. You might give it a look.

NetWrix also has some tools in this space.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] 
Sent: Wednesday, August 18, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I never would have thought of that - I should be able to use admodify to bulk 
hide the groups from the GAL.

Be interested in any other options simply as it's always good to know there's 
more than one way to skin a cat, but that sounds like a plan so thanks for that 
Brian.

Michael - A typical example is a folder gets created for a project, group(s) 
gets created and assigned to the folder permissions, project dies and gets 
deleted, groups don't.

Sometimes it's my fault, sometimes it's a subfolder of a top level folder so 
the users delete them - most of the time my naming structure makes it obvious 
if a group is still relevant, but it would be good to have a "cooling off" 
period before deleting.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Finding unused/dead groups?

[James Rankin]

I just record who was in a group (net group command), remove all the users
from it, mark it as DEPRECATED in the description, and wait.

If anyone calls up complaining, it was still in use - roll back. If a few
weeks / months / years (delete as necessary for your environment) pass
without issue, remove it completely.

Of course, my habit of using very detailed descriptions and sticking to a
"one group, one function" model tends to make sure you know exactly what the
scope of each group is. Others prefer nesting, but as I have spent the last
two years in a fairly small environment, I've been able to do things this
way without too much administrative overhead.

On 18 August 2010 20:17, Paul Hutchings  wrote:

>  Is there a recommended way to determine which groups (be it Domain Local
> or Global) are still in active use in a given domain?
>
> Ideal world Microsoft would give groups a "disable" property, but since
> there isn't, other than at some point hitting "Delete" and waiting for the
> phone to ring there doesn't seem any decent way to determine this.
>
> Thanks.
>  --
>
> *MIRA Ltd*
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
> Registered in England and Wales No. 402570
> VAT Registration GB 114 5409 96
>
> The contents of this e-mail are confidential and are solely for the use of
> the intended recipient.
> If you receive this e-mail in error, please delete it and notify us either
> by e-mail, telephone or fax.
> You should not copy, forward or otherwise disclose the content of the
> e-mail as this is prohibited.
>
>
>
>
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding unused/dead groups?

[Ben Scott]

On Wed, Aug 18, 2010 at 5:54 PM, David Lum  wrote:
> Not to mention our group name itself is in the form of __

  I don't like that because it means if you move servers your group
names either change or become misleading.

  But we otherwise do something similar.  Things like "QMS Doc
Editors" and "QMS Doc Readers".

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding unused/dead groups?

[David Lum]

"Here, when we create a Group for a folder, we record the path to the folder in 
the "Notes" section of the group in the GUI."

+1000!

Not to mention our group name itself is in the form of 
__(or whatever)_access for groups allowing access to 
specific files\folders. This has the added benefit of looking at say, a 
department group and you can see all the locations they have access to by 
looking at "member of".

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, August 18, 2010 1:23 PM
To: NT System Admin Issues
Subject: Re: Finding unused/dead groups?

On Wed, Aug 18, 2010 at 3:35 PM, Paul Hutchings
 wrote:
> Michael - A typical example is a folder gets created for a project,
> group(s) gets created and assigned to the folder permissions, project dies
> and gets deleted, groups don't.

  An ACL reporting tool may prove to be useful to you for that.  See
the contemporary "Old habits" thread.

  Here, when we create a Group for a folder, we record the path to the
folder in the "Notes" section of the group in the GUI.  Outside of IT,
users generally don't have permissions to change ACLs, so that usually
keeps things tidy for us.  This likely won't scale to a larger org.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Finding unused/dead groups?

[Andrew S. Baker]

The Varonis technology is pretty nice, although more useful from a security
perspective.


*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp <http://www.wisestamp.com/email-install>


On Wed, Aug 18, 2010 at 3:38 PM, Michael B. Smith wrote:

> I've got a customer that uses a tool by Varonis to track group usage. I'm
> ambivalent (not sure it provides equivalent value), but they like it, so
> that's all that matters. You might give it a look.
>
> NetWrix also has some tools in this space.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
> Sent: Wednesday, August 18, 2010 3:35 PM
> To: NT System Admin Issues
> Subject: RE: Finding unused/dead groups?
>
> I never would have thought of that - I should be able to use admodify to
> bulk hide the groups from the GAL.
>
> Be interested in any other options simply as it's always good to know
> there's more than one way to skin a cat, but that sounds like a plan so
> thanks for that Brian.
>
> Michael - A typical example is a folder gets created for a project,
> group(s) gets created and assigned to the folder permissions, project dies
> and gets deleted, groups don't.
>
> Sometimes it's my fault, sometimes it's a subfolder of a top level folder
> so the users delete them - most of the time my naming structure makes it
> obvious if a group is still relevant, but it would be good to have a
> "cooling off" period before deleting.
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Finding unused/dead groups?

[Andrew S. Baker]

That's actually a cool idea!  (Not saying you don't have cool ideas, but...)


*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp <http://www.wisestamp.com/email-install>


On Wed, Aug 18, 2010 at 3:19 PM, Brian Desmond wrote:

> *Convert them to distribution groups and they will retain their SID but no
> longer be inserted into a user’s token. You can subsequently remark them as
> security groups if someone complains. *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *br...@briandesmond.com*
>
> * *
>
> *c   – 312.731.3132*
>
> * *
>
> *From:* Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
> *Sent:* Wednesday, August 18, 2010 2:18 PM
>
> *To:* NT System Admin Issues
> *Subject:* Finding unused/dead groups?
>
>
>
> Is there a recommended way to determine which groups (be it Domain Local or
> Global) are still in active use in a given domain?
>
> Ideal world Microsoft would give groups a "disable" property, but since
> there isn't, other than at some point hitting "Delete" and waiting for the
> phone to ring there doesn't seem any decent way to determine this.
>
> Thanks.
> --
>
> *MIRA Ltd*
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
> Registered in England and Wales No. 402570
> VAT Registration GB 114 5409 96
>
> The contents of this e-mail are confidential and are solely for the use of
> the intended recipient.
> If you receive this e-mail in error, please delete it and notify us either
> by e-mail, telephone or fax.
> You should not copy, forward or otherwise disclose the content of the
> e-mail as this is prohibited.
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Finding unused/dead groups?

[Ben Scott]

On Wed, Aug 18, 2010 at 3:35 PM, Paul Hutchings
 wrote:
> Michael - A typical example is a folder gets created for a project,
> group(s) gets created and assigned to the folder permissions, project dies
> and gets deleted, groups don't.

  An ACL reporting tool may prove to be useful to you for that.  See
the contemporary "Old habits" thread.

  Here, when we create a Group for a folder, we record the path to the
folder in the "Notes" section of the group in the GUI.  Outside of IT,
users generally don't have permissions to change ACLs, so that usually
keeps things tidy for us.  This likely won't scale to a larger org.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding unused/dead groups?

[Michael B. Smith]

I've got a customer that uses a tool by Varonis to track group usage. I'm 
ambivalent (not sure it provides equivalent value), but they like it, so that's 
all that matters. You might give it a look.

NetWrix also has some tools in this space.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] 
Sent: Wednesday, August 18, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

I never would have thought of that - I should be able to use admodify to bulk 
hide the groups from the GAL.

Be interested in any other options simply as it's always good to know there's 
more than one way to skin a cat, but that sounds like a plan so thanks for that 
Brian.

Michael - A typical example is a folder gets created for a project, group(s) 
gets created and assigned to the folder permissions, project dies and gets 
deleted, groups don't.

Sometimes it's my fault, sometimes it's a subfolder of a top level folder so 
the users delete them - most of the time my naming structure makes it obvious 
if a group is still relevant, but it would be good to have a "cooling off" 
period before deleting.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Finding unused/dead groups?

[Paul Hutchings]

I never would have thought of that - I should be able to use admodify to bulk 
hide the groups from the GAL.

Be interested in any other options simply as it's always good to know there's 
more than one way to skin a cat, but that sounds like a plan so thanks for that 
Brian.

Michael - A typical example is a folder gets created for a project, group(s) 
gets created and assigned to the folder permissions, project dies and gets 
deleted, groups don't.

Sometimes it's my fault, sometimes it's a subfolder of a top level folder so 
the users delete them - most of the time my naming structure makes it obvious 
if a group is still relevant, but it would be good to have a "cooling off" 
period before deleting.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding unused/dead groups?

[Michael B. Smith]

What Brian says.

But I guess I'm interested in knowing what you mean by "active use"?

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Wednesday, August 18, 2010 3:19 PM
To: NT System Admin Issues
Subject: RE: Finding unused/dead groups?

Convert them to distribution groups and they will retain their SID but no 
longer be inserted into a user's token. You can subsequently remark them as 
security groups if someone complains.

Thanks,
Brian Desmond
br...@briandesmond.com<mailto:br...@briandesmond.com>

c   - 312.731.3132

From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Wednesday, August 18, 2010 2:18 PM
To: NT System Admin Issues
Subject: Finding unused/dead groups?


Is there a recommended way to determine which groups (be it Domain Local or 
Global) are still in active use in a given domain?

Ideal world Microsoft would give groups a "disable" property, but since there 
isn't, other than at some point hitting "Delete" and waiting for the phone to 
ring there doesn't seem any decent way to determine this.

Thanks.



MIRA Ltd
Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.
If you receive this e-mail in error, please delete it and notify us either by 
e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as 
this is prohibited.













~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Finding unused/dead groups?

[Brian Desmond]

Convert them to distribution groups and they will retain their SID but no 
longer be inserted into a user's token. You can subsequently remark them as 
security groups if someone complains.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Wednesday, August 18, 2010 2:18 PM
To: NT System Admin Issues
Subject: Finding unused/dead groups?


Is there a recommended way to determine which groups (be it Domain Local or 
Global) are still in active use in a given domain?

Ideal world Microsoft would give groups a "disable" property, but since there 
isn't, other than at some point hitting "Delete" and waiting for the phone to 
ring there doesn't seem any decent way to determine this.

Thanks.



MIRA Ltd
Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.
If you receive this e-mail in error, please delete it and notify us either by 
e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as 
this is prohibited.









~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Finding unused/dead groups?

[Paul Hutchings]

Is there a recommended way to determine which groups (be it Domain Local or 
Global) are still in active use in a given domain?

Ideal world Microsoft would give groups a "disable" property, but since there 
isn't, other than at some point hitting "Delete" and waiting for the phone to 
ring there doesn't seem any decent way to determine this.

Thanks.

-- 
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.
If you receive this e-mail in error, please delete it and notify us either by 
e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as 
this is prohibited.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~