Windows Permissions and Security – Four Kinds of Dull Tasks We’ve Automated for You

“It's easier to ask forgiveness than it is to get permission.”

Maybe Rear Admiral Grace Hopper was first to say that, and maybe she wasn’t. She certainly knew a thing or two about permission. I think that if she’d known what network administrators go through, she’d have said that almost anything is easier than managing Windows permissions across an entire IT environment.

In my previous post about Windows permission and access control, I showed how Security Explorer works in different areas and products in a Windows environment. This time, I’ll focus on four categories of dull, day-to-day admin tasks that you can speed up and even automate with Security Explorer.

Search: Look for specific permission sets

You know who the users and groups are. Where do they have access?

They may have permissions not only on file servers, but also on documents stored on SharePoint, SQL Server or Exchange. Most permissions are granted not directly to the account, but indirectly through membership in local server groups, SharePoint groups, SQL Server roles or Active Directory groups. How can you untangle all that and determine the resources to which they have access?

With Security Explorer, you have a central point from which to search for all access granted directly or indirectly to a particular user or group across the network.

Then, you can export the results of your search to a file for ad-hoc reporting.

Use Security Explorer to find all permissions and services associated with unknown or deleted accounts (or an account you’re about to delete), or resources to which a user or group does not have a specific permission. It’s a lot easier than bouncing among servers or running multiple searches.

Manage: Make changes to servers individually or in bulk

What is network administration about if not about managing access? A lot of your job boils down to granting, revoking and modifying access to Windows servers, desktops and NAS/SAN devices. Instead of creating and maintaining scripts based on command-line tools, you can manage permissions with Security Explorer.

“Access Denied” errors can interrupt long operations, so Security Explorer prevents those errors when it encounters files the user does not have permissions to access. When you’re duplicating or replacing access between accounts, Security Explorer has a clone feature for changing user roles and provisioning new users. You can also manage group membership directly from within the access control list for the resource.

Recover: Backup and restore permissions

To deal with accidental or malicious changes, use Security Explorer to back up and restore permissions. You can easily recover from unplanned changes in Windows permissions without having to restore entire files, folders and volumes from tape backup.

You can schedule backups or run them on demand, and compare them against the live environment. Security Explorer gives you an easy way to create and maintain baselines for access controls to resources anywhere on your network.

Report: Address ad-hoc requests

Command-line tools and Microsoft security tools don’t have much for you when it comes to reports. Security Explorer includes a full roster of reports on permissions, access and services throughout your Windows environment.

Next steps

It’s time to get serious about managing Windows permissions in your environment. Try Security Explorer free for 30 days and see how much more efficiently you can work than with your current tools.

Download 30-day trial

About the Author
Austin Collins
Product Marketing Manager that supports Quest's Microsoft Platform Management solutions.   Within Microsoft Platform Management we focus on Migrations and consolidations for Active Directory, Exchange...