• State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 3358 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The Active Directory Permissions report allows one to filter in or out certain account name patterns but that filter does not follow down to nested groups as i need it to do. How can this be done?

Michael.Lebeau
over 7 years ago

I am in need of a report where I can report on the permissions within AD but EXCLUDE all accounts whose SAMAccountName which begin with "a.". So I added a parameter to the report where this filter is hard coded into the report. The result is that the filter is followed on the directly added users but not in the nested groups.

How can I pass that exclusion filter to the SP which is enumerating the nested groups?

The history of this is that the domain has had several management 'styles' over the years and needs to be cleaned up. In AD, it was decided that all administrative accounts would begin with A. and then the SAMAccountName as in "a.usernamegoeshere".

What we need to do is to be able to run a report on AD permissions where we can exclude these users and other built in accounts and groups as required AND have that exclusion filter also apply to the nested groups.

 

So if a user a.username has some permissions in an OU then that account would not be included in the report. We have that now. But, when the account is nested in a group, is it displayed. It is here where we need that filter also applied to the return set of the stored procedure used to enumerate the nested groups.

Is this even possible?

Parents
  • 0 over 7 years ago

    Ivan, thanks for the initiative but that is a near miss. What I want to have is an extension of the Active Directory Permissions report.

    If you take that report and modify it so that the there is an EXCLUDE accounts and an EXPAND NESTED GROUPS option, that is the basic framework you need.

    What is happening is that the report can exclude accounts that have explicit permissions in AD per the instructions of the query BUT, in the subquery where the groups are expanded, the accounts that are listed in the Exclude Accounts option are listed in the expanded group as show in this screen capture:

    Note in this screen capture that this is a partial picture of the security. In this case the accounts beginning with a.* are excluded unless they also exist in a nested group. This image shows the a. accounts listed in a nested group. The a. accounts are filtered out of the rest of the report.

    So the question is that if we take an existing report, which has all the features that a user could want including the ability to filter OUT certain accounts by a wild card value at the object level; how can we also filter out the same accounts when those accounts also exist in nested groups?

    Here is the report I am using.

    Active Directory Permissions with Nested Membership Filter_v2.6.0.12000.zip

     

    Michael

Reply
  • 0 over 7 years ago

    Ivan, thanks for the initiative but that is a near miss. What I want to have is an extension of the Active Directory Permissions report.

    If you take that report and modify it so that the there is an EXCLUDE accounts and an EXPAND NESTED GROUPS option, that is the basic framework you need.

    What is happening is that the report can exclude accounts that have explicit permissions in AD per the instructions of the query BUT, in the subquery where the groups are expanded, the accounts that are listed in the Exclude Accounts option are listed in the expanded group as show in this screen capture:

    Note in this screen capture that this is a partial picture of the security. In this case the accounts beginning with a.* are excluded unless they also exist in a nested group. This image shows the a. accounts listed in a nested group. The a. accounts are filtered out of the rest of the report.

    So the question is that if we take an existing report, which has all the features that a user could want including the ability to filter OUT certain accounts by a wild card value at the object level; how can we also filter out the same accounts when those accounts also exist in nested groups?

    Here is the report I am using.

    Active Directory Permissions with Nested Membership Filter_v2.6.0.12000.zip

     

    Michael

Children
No Data