AD Group Properties

I need to analyze what specific groups can or cannot do, especially, which system they can access. Is there a why for me to run a script that shows me what a group can do? I don’t mind doing a visual comparison, since there aren’t too many groups. I just need the ability to display their capabilities.



No. You would need to check all resources where those groups got granted access to.

Olaf is right. Rights and permissions are assigned to resources, not to security principles (like groups and accounts). Keeping in control in a Windows environment is normally done through group policies.

A deviation of that model is role based access control (RBAC), but since you imply talking about access to all your systems that won’t be your solution either.

To complicate matters even further there is also something like Dynamic Access Control, making a static overview of rights and permissions meaningless.