Announcement

Collapse
No announcement yet.

Display the SELF Permissions of a number of users

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Display the SELF Permissions of a number of users

    Hi

    We need to see the SELF - "Write phone and mail options" permissions that a group of users have.

    Is this possible with Hyena?

    We use v6.3

  • #2
    Re: Display the SELF Permissions of a number of users

    I found a way to do this, but need to check on Hyena v6.3.

    How many users do you have to check this on ?
    Kevin Stanush
    SystemTools Software Inc.

    Comment


    • #3
      Re: Display the SELF Permissions of a number of users

      10,000 although i anticipate that only about a hanful of users might not have that permissions (the ones we need to identify).

      Comment


      • #4
        Re: Display the SELF Permissions of a number of users

        I don't think I have a very good solution due to the number of users. There isn't any way to do this non-interactively as we don't have an option in Exporter Pro to do it.

        But if you right click on a user, select Account Functions->List Directory Security. I checked and this option is also in v6.3. The resulting output will have all of the permissions granted to that user. Sort on the settings and find/not find the one you are looking for SELF.

        This may be slow and I would not do it for a large group of users if you try it.
        Kevin Stanush
        SystemTools Software Inc.

        Comment


        • #5
          Re: Display the SELF Permissions of a number of users

          Would a newer version of Hyena make this easier on the number of users we have?

          Would an upgrade help us in this task?

          Comment


          • #6
            Re: Display the SELF Permissions of a number of users

            No, I we don't know of any method to make this easier. Do you think that a software company would pass up the opportunity to recommend you upgrade ?

            Welcome to the world of distributed Windows security, just the same as files and directories. You can try the DsFind tool from www.Joeware.net. Read one of his blog entries on this topic here:
            http://blog.joeware.net/2008/04/10/1156/

            Or, there is the dsacls tools from Microsoft.

            After reading about the security descriptor output, called SDDL syntax, I learned about what before always looked like gibberish. While Hyena can display this value, we are limited by Microsoft GUI limitation of 260 characters. We'll look at ways to get this information out of Windows easier in case there are those users out there who actually make use of it.
            Kevin Stanush
            SystemTools Software Inc.

            Comment


            • #7
              Re: Display the SELF Permissions of a number of users

              LOL - I thought you were just being polite!

              Thanks for the additional info, hopefully that should be a solution.

              Comment


              • #8
                Re: Display the SELF Permissions of a number of users

                Using the information in the links above, we did some experimenting and found the Exporter Pro can export the nTSecurityDescriptor. You can add it to the Detailed User export and when it finishes you can search using something like Excel.

                We set a couple of users to SELF - Write phone and mail options, and in each case this was found as part of the nTSecurityDescriptor:

                (OA;;WP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)

                Try a few users to make sure it matches for you too, then you would be able to search all users and find those with that string.

                Comment


                • #9
                  Re: Display the SELF Permissions of a number of users

                  Much apprecaited, i will pass this on to the guy tasked with this and see how he gets on.

                  Comment

                  Working...
                  X