Looking for a permissions/access scan tool

That's a really big ball of worms. It's not just 'scanning' a file share or whatever, it's auditing both the AD and Azure configured accounts, groups and permissions, etc. but also effective NTFS and SMB share permissions etc. plus you mention mailbox and apps.

Solarwinds is mentioned a few times I saw as 'the best' but I'm sure it's not really all that great. Most of their tools have a lot of baggage and cruft in them.

There are also https://www.netwrix.com and https://www.manageengine.com/products/ad-manager/ but I don't know how feature complete or reliable they are. They just seem like the next big players in that area.

Personally, I would not put all my effort into auditing after the fact. I would put equal effort into simplification, group management, least-permission/zero-trust, and then apply auditing efforts once you have a sane user-management and access-restriction model.

And if you are already at the point where you are using m365, EXO, etc., you should be extremely focused on eliminating local admin accounts, windows shares, and on prem DFS. I'm sure you know all that and the reality is we all deal with legacy and tech-debt situations... but yeah. Spending big money and time on a new auditing tool might be premature if you can significantly narrow your 'scanning target surface area' by narrowing down user permissions, applications and services they can create or use, etc.

Do you need to meet a legal requirement? Which one? Otherwise, why are you doing this?

Yeah, I get why you might feel forced into that kind of approach (politics, legacy inertia, lack of top down authority/approval, etc.) but the right approach is to look at the organization(s), create the groups and create the permissions for them that meet their needs and then start eliminating old stuff so you don't have to do anything but double check the group permissions and member lists once a year or whatever.

Trying to use a scan tool to audit your existing spaghetti is going to be a huge effort and yield pretty spotty results, I would bet. It can be soooo much more effective to simply build the right structure and start pushing people into it, then burn down the old structure. The people will moan and complain the whole time until about 2 days after they are using it and then it will mostly be fine with a bit of fine tuning. If you're in any kind of transition to cloud document editing and auth and messaging (O365 etc.) then it is a great time to simply force everything into properly sane boxes and archive all the old stuff.

flyingember said:

We're doing this for security information gathering. To Paladin's points our environment is full of 20 years of legacy crud. The goal is to use the tool to find where groups are being used in order to target our efforts.

Click to expand...

I am in the MSP field, servicing both large and small customers.

Build a new environment with a new AD. Build a new structure to accommodate the old data. Migrate the data from the old environment to the new one. Do not migrate permissions. Use a proper access management tool, and document the rights assigned.

Is it a lot of work? Yes. Is it the only way to be sure? Also yes.

You can spend years trying to audit the decades old crud, and you probably wont succeed. Plus you still might miss something. It's expensive as hell, and in 2027 you will have spent as much money fixing it as a proper migration would have cost.

Tell your boss you need to stop repairing the old wreck from the 80s. It needs to be replaced, not serviced. They do that with every other aspect of the companys assets - and it's needed here as well. Ask for examples of old cars, equipment, or critical infrastructure of similar age that management instists on repairing. Hopefully there are none. If there are, GTFO and find somewhere else to work.

I'll do a free Teams meeting with you and da bosses if you need someone external to be the bearer of the bad news.

Whatever you save on that free service from me, you donate to Unicef or MSF.

Deal?