Getting Started with Security Explorer
Starting Security Explorer
Customizing the view
Managing permissions
Choosing an interface mode
Using the Tasks tab
Using the status bar
Using the loading progress bar
Managing module buttons
Completing a process
Viewing permissions
Granting permissions
Revoking permissions
Searching
Using the Browse tab to revoke permissions
Revoking permissions on unknown accounts
Revoking permissions on disabled accounts
Using the Revoke tasks
Cloning permissions
Using the Browse tab to clone permissions
Creating permission templates
Copying permissions
Copying permissions to subfolders and files
Setting ownership
Modifying permissions
Reducing permissions to read only
Managing group memberships
Renaming accounts
Deleting permissions
Printing permissions
Selecting users and groups manually
Selecting users and groups automatically
Updating permissions relating to a user's SID history
Importing users and groups
Using the Clone task
Using the Browse tab to search
Managing saved searches
Adding a search scope
Setting search criteria
Managing security
Group and user search criteria
Permission search criteria
Folder and file search criteria
Service and task search criteria
Group and user search criteria
Advanced search options
Registry key search criteria
Using the Search tasks
Replacing permissions
Scheduling a search
Managing search tasks
Backing up security
Scheduling a backup
Using the backup scheduler
Restoring security
Comparing security
Purging backup files
Scheduling a backup purge
Exporting security
Managing objects
Managing folders and files
Working with Microsoft SQL Server
Creating a new folder
Deleting a folder or file
Viewing folder and file properties
Showing open files
Opening files
Editing files
Opening a folder in Windows Explorer
Managing shares
Managing registry keys
Managing services
Starting, stopping, pausing, or restarting a service
Setting logon accounts
Changing the password for a logon account
Scheduling logon account password changes
Removing a service
Modifying service properties
Managing tasks
Running a task
Setting account information
Creating a new task
Copying a task
Exporting a task
Removing a task
Modifying task properties
Managing groups and users
Viewing accounts
Creating a new group
Creating a new user
Modifying group and user properties
Modifying group or user Active Directory properties
Modifying properties of multiple users
Modifying group memberships
Viewing group and user memberships
Changing user passwords
Modify memberships of multiple local groups
Clearing the local administrator group
Deleting groups and users
Creating a new Managed Service Account
Modifying Managed Service Account properties
Modifying Managed Service Account Active Directory properties
Viewing Managed Service Account memberships
Deleting Managed Service Account
Managing Favorites
Managing Enterprise Scopes
Creating an Enterprise Scope while browsing
Creating an Enterprise Scope
Editing an Enterprise Scope
Removing an Enterprise Scope
Updating licenses
Managing network drives
Viewing SQL Server permissions
Granting SQL Server permissions
Revoking SQL Server permissions
Cloning SQL Server permissions
Modifying SQL Server permissions
Searching for SQL Server objects and permissions
Backing up and restoring SQL Server security
Exporting SQL Server database permissions
Managing SQL Server objects
Working with Microsoft Exchange
Copying SQL Server objects
Copying SQL Server permissions
Managing SQL Server databases
Managing Security SQL Reporting Services
Setting options for SQL Server
Modifying SQL Server security settings
Managing SQL Server network settings
Adding a new database role
Removing a database role
Modifying a database role
Adding a new database user
Removing a database user
Modifying a database user
Adding a new schema
Removing a schema
Modifying a schema
Managing logins
Managing server roles
Checking minimum requirements
Viewing Exchange permissions
Granting Exchange permissions
Revoking Exchange permissions
Cloning Exchange permissions
Searching for Exchange server objects and permissions
Backing up and restoring Exchange server security
Modifying Exchange permissions
Managing Exchange group memberships
Exporting Exchange security permissions
Creating Exchange databases
Creating public folder mailboxes
Managing Exchange administrators
Managing Exchange distribution groups
Managing mail contacts
Managing mail users
Managing mailboxes
Managing mailbox folders
Working with Microsoft SharePoint
Creating mailbox folders
Managing permissions on mailbox folders for multiple users
Deleting mailbox folders
Managing public folders
Using role based access control
Managing user roles
Managing role groups
Managing roles
Setting options for Exchange security
Creating assignments
Modifying assignments
Deleting assignments
Creating child roles
Modifying child roles
Deleting child roles
Adding entities
Modifying entities
Deleting entities
Managing custom scopes
Using the SharePoint menu
Adding SharePoint farms or sites
Managing SharePoint farms or sites
Previewing SharePoint objects
Deploying the SharePoint web service
Deploying the SharePoint web service manually
Managing SharePoint permissions
Working with Access Explorer
Viewing SharePoint permissions
Granting SharePoint permissions
Revoking SharePoint permissions
Cloning SharePoint permissions
Modifying SharePoint permissions
Modifying SharePoint permissions levels
Repairing limited access permissions
Removing permissions on deleted accounts
Removing permissions on disabled accounts
Managing SharePoint groups
Removing accounts from SharePoint groups
Searching for SharePoint objects
Modifying SharePoint properties
Backing up and restoring SharePoint security
Exporting SharePoint permissions
Setting SharePoint options
Removing the SharePoint web service
Removing the SharePoint web service manually
Access Explorer components
Working with Microsoft Active Directory
Managed domain
Registered forest
Managed computer
Access Explorer agent
Scopes
Database
Service accounts
Setting up Access Explorer
Setting up the Access Explorer database
Setting up the first managed domain (includes the service account)
Updating Access Explorer configuration
Adding managed domains
Adding forests
Editing managed domains or forests
Adding service accounts
Editing service accounts
Deleting service accounts
Collecting Access Explorer data
Setting up a managed computer
Installing the Access Explorer agent locally
Installing the Access Explorer agent remotely
Managing managed computers
Modifying managed computer properties
Managing Access Explorer agents
Viewing Access Explorer objects
Searching Access Explorer servers
Using the Access Explorer permission wizard
Changing all permissions
Cloning all permissions
Deleting all permissions
Exporting all permissions
Backing up permissions
Setting options for Access Explorer
Viewing Active Directory permissions
Granting Active Directory permissions
Revoking Active Directory permissions
Cloning Active Directory permissions
Searching for Active Directory objects
Modifying Active Directory permissions
Modifying group memberships
Modifying Active Directory properties
Deleting Active Directory permissions
Backing up and restoring Active Directory security
Exporting Active Directory permissions
Setting options for Active Directory Security
Customizing Security Explorer
Setting general options
Setting view options
Setting alternate credentials for workgroups
Setting alternate credentials for services and tasks
Setting alternate credentials NAS devices
Setting advanced options
Controlling access to Security Explorer
Using the command line
Opening a command prompt window
SxpBackup.exe
SxpClone.exe
SxpExport.exe
SxpGrant.exe
SxpHomeDir.exe
SxpInheritance.exe
SxpOwner.exe
SxpRestore.exe
SxpRevoke.exe
SXPActiveDirectoryBackup
SxpSearch.exe
Using PowerShell cmdlets
What are cmdlets?
Using Security Explorer cmdlets
Troubleshooting
Creating or editing the PowerShell.exe.config file
Installing Security Explorer cmdlets
Installing Security Explorer cmdlets manually
Removing Security Explorer cmdlets
Using cmdlets to set up Access Explorer
Creating the Access Explorer database
Adding a service account
Adding a domain to manage
Adding managed computers
Using cmdlets to get information about Access Explorer objects
Getting service account information
Getting managed domain information
Getting managed computer information
Getting security information for a resource
Getting resource access information
Using cmdlets to manage Access Explorer agents
Identifying agents on a managed computer
Changing the agent configuration on a managed computer
Restarting the agent
Restarting a single agent
Updating an agent
Changing the service account password
Changing the SQL account password
Using cmdlets to remove Access Explorer objects
Access Explorer components
This section defines all of the components that comprise an Access Explorer deployment.
|
• |
|
• |
Managed domain
To ensure that the Access Explorer service can install agents successfully, the Security Explorer® server needs domain user credentials with sufficient access. Access Explorer uses the concept of a managed domain, which is an association of service accounts (user credentials) to Active Directory® domains. When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Security Explorer server. This managed domain service account is used to install the agents. Local agents run as Local System and remote agents run as the service account specified during their installation.
For more information, see Adding managed domains.
Registered forest
To register a forest, add the forest to Access Explorer. See Adding forests. When you add a forest, you must provide a service account with sufficient permissions to perform all Access Explorer configuration tasks. If the application needs to resolve a SID or expand group membership from that forest, it will use the associated service account.
When you add a managed domain and the associated Active Directory® forest is not yet registered, the Security Explorer Server will automatically add the forest and use the domain service account credentials as the forest credentials.
Managed computer
A managed computer is any network object that can host resources such as files, folders, and shares. Currently supported resources include Windows® computers, Windows® clusters, and certain network attached storage (NAS) devices. When the user adds a managed computer, Configuration Manager deploys an Access Explorer agent to scan that computer. The agent may be installed on the computer (local agent) or it may be installed on another computer (remote agent). Detailed access information is maintained on the agent computer, only sending general access information to the server.