"arabha123" <arabha
...@gmail.com> wrote in message
...
> Hi all,
> I am in a fix where I want to delete a lot of security groups that
> have been created but not used for share permissions but just so that
> the distribution groups with the same name can be used in case of
> share access. Is there a way to find out unused security groups, so
> that they can be deleted. Any help is greatly appreciated.
First thing is, if you delete a group containing no members, you can be
fairly confident that nobody will lose access to anything as a result.
Beyond that, this can be quite a difficult prospect, as the usage of a
security group is not contained within its definition in Active Directory.
Rather it is scattered in the form of permissions on NTFS volumes and
printers on all servers (and possibly some workstations), in various places
within exchange, and potentially in your applications.
If you know the permissions will be limited to NTFS volumes, and if you have
a structured approach to folder permissions, that may simplify the task. For
example, if you apply permissions only to folders and not to individual
files, or if you limit how deeply nested folders with different permissions
than their parents are allowed to go.
But at some point you are going to have to enumerate all of the permissions
on some subset of NTFS objects, marking any groups found as trustees as
being in use. If you have been thorough enough, the ones not so marked could
be considered unused and deleted.
Here's another random thought. You could rename all of the suspect groups by
prefixing their names with something like "UNUSEDSECURITYGROUP", use cacls
to dump all permissions, then do a search for the string
"UNUSEDSECURITYGROUP". Whenever you find a match, just rename the
corresponding group back to its original name.
/Al
|
