Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Security Explorer 9.8 - User Guide

Table of Contents

Getting Started with Security Explorer

Starting Security Explorer

Using the Navigation pane Using the Objects pane Using the Permissions pane

Customizing the view

Choosing an interface mode Using the Tasks tab Using the status bar Using the loading progress bar Managing module buttons

Completing a process

Managing permissions

Viewing permissions Granting permissions

Using the Browse tab to grant permissions Using the Grant task

Revoking permissions

Using the Browse tab to revoke permissions Revoking permissions on unknown accounts Revoking permissions on disabled accounts Using the Revoke tasks

Cloning permissions

Using the Browse tab to clone permissions

Selecting users and groups manually Selecting users and groups automatically Updating permissions relating to a user's SID history Importing users and groups

Using the Clone task

Creating permission templates Copying permissions Copying permissions to subfolders and files Setting ownership

Using the Browse tab to set ownership Using the Set Ownership task

Modifying permissions Reducing permissions to read only Managing group memberships Renaming accounts Deleting permissions

Deleting permissions by searching

Printing permissions

Running a report using the Browse tab Running a report using the Reports or Tasks tab

Using the Browse tab to search Managing saved searches Adding a search scope Setting search criteria

Group and user search criteria Permission search criteria Folder and file search criteria Service and task search criteria Group and user search criteria Advanced search options Registry key search criteria

Using the Search tasks Replacing permissions

Managing security

Backing up security

Using the Browse tab to back up security Using the Backup task

Scheduling a backup Using the backup scheduler Restoring security

Setting advanced options for the restore process

Purging backup files Scheduling a backup purge Exporting security

Using the Browse tab to export security Using the Export task Scheduling an export Managing export tasks

Managing objects

Managing folders and files

Creating a new folder Deleting a folder or file Viewing folder and file properties Showing open files Opening files Editing files Opening a folder in Windows Explorer

Managing shares

Creating a new share Removing a share Finding a share path

Managing registry keys

Creating a new registry key Deleting a registry key Modifying registry values

Managing services

Starting, stopping, pausing, or restarting a service Setting logon accounts Changing the password for a logon account Scheduling logon account password changes Removing a service Modifying service properties

Running a task Setting account information Creating a new task Copying a task Exporting a task Removing a task Modifying task properties

Managing groups and users

Viewing accounts Creating a new group Creating a new user Modifying group and user properties Modifying group or user Active Directory properties Modifying properties of multiple users Modifying group memberships Viewing group and user memberships Changing user passwords Modify memberships of multiple local groups Clearing the local administrator group Deleting groups and users

Managing Favorites

Adding Favorites Exporting Favorites Importing Favorites Removing Favorites

Managing Enterprise Scopes

Creating an Enterprise Scope while browsing Creating an Enterprise Scope Editing an Enterprise Scope Removing an Enterprise Scope

Updating licenses Managing network drives

Mapping a network drive Disconnecting a network drive

Working with Microsoft SQL Server

Viewing SQL Server permissions Granting SQL Server permissions Revoking SQL Server permissions Cloning SQL Server permissions Modifying SQL Server permissions Searching for SQL Server objects and permissions

Setting SQL Server search criteria

Backing up and restoring SQL Server security Exporting SQL Server database permissions Managing SQL Server objects

Copying SQL Server objects Copying SQL Server permissions Managing SQL Server databases

Adding a new database role Removing a database role Modifying a database role Adding a new database user Removing a database user Modifying a database user Adding a new schema Removing a schema Modifying a schema

Managing logins

Adding a new login Removing a login Modifying a login

Managing server roles

Adding a server role Removing a server role Modifying server roles

Managing Security SQL Reporting Services

Managing system roles

Creating a new system role Deleting system roles Modifying a system role

Managing catalog roles

Creating a new catalog role Deleting catalog roles Modifying a catalog role

Managing catalog items

Granting SSRS permissions Revoking SSRS permissions Cloning SSRS permissions Searching for SSRS permissions Modifying SSRS permissions Copying SSRS permissions Deleting SSRS permissions Exporting SSRS permissions Backing up and restoring SSRS permissions

Setting options for SQL Server Modifying SQL Server security settings Managing SQL Server network settings

Working with Microsoft Exchange

Checking minimum requirements Viewing Exchange permissions Granting Exchange permissions Revoking Exchange permissions Cloning Exchange permissions Searching for Exchange server objects and permissions

Setting Exchange security search criteria

Backing up and restoring Exchange server security Modifying Exchange permissions Managing Exchange group memberships Exporting Exchange security permissions Creating Exchange databases Creating public folder mailboxes Managing Exchange administrators

Adding Exchange administrators Modifying Exchange administrators Deleting Exchange administrators

Managing Exchange distribution groups Managing mail contacts

Creating mail contacts Modifying mail contacts Deleting mail contacts

Managing mail users

Creating mail users Modifying mail users Deleting mail users

Managing mailboxes

Creating mailboxes Modifying mailbox settings Deleting mailboxes

Managing mailbox folders

Creating mailbox folders Managing permissions on mailbox folders for multiple users Deleting mailbox folders

Managing public folders

Creating public folders Modifying public folder settings Deleting public folders

Using role based access control

Managing user roles

Adding a user role Modifying user roles Deleting user roles

Managing role groups

Adding role groups Modifying role groups Deleting role groups

Creating assignments Modifying assignments Deleting assignments Creating child roles Modifying child roles Deleting child roles Adding entities Modifying entities Deleting entities

Managing custom scopes

Creating a custom scope Editing a custom scope Deleting custom scopes

Setting options for Exchange security

Working with Microsoft SharePoint

Using the SharePoint menu Adding SharePoint farms or sites Managing SharePoint farms or sites Previewing SharePoint objects Deploying the SharePoint web service Deploying the SharePoint web service manually Managing SharePoint permissions

Viewing SharePoint permissions Granting SharePoint permissions Revoking SharePoint permissions Cloning SharePoint permissions Modifying SharePoint permissions Modifying SharePoint permissions levels Repairing limited access permissions Removing permissions on deleted accounts Removing permissions on disabled accounts

Managing SharePoint groups Removing accounts from SharePoint groups Searching for SharePoint objects

Setting SharePoint security search criteria

Group and user search criteria Permission search criteria SharePoint Search Criteria

Modifying SharePoint properties Backing up and restoring SharePoint security Exporting SharePoint permissions

Deleting export tasks

Setting SharePoint options Removing the SharePoint web service Removing the SharePoint web service manually

Working with Access Explorer

Access Explorer components

Managed domain Registered forest Managed computer Access Explorer agent Scopes Database Service accounts

Setting up Access Explorer

Setting up the Access Explorer database Setting up the first managed domain (includes the service account)

Updating Access Explorer configuration

Adding managed domains Adding forests Editing managed domains or forests Adding service accounts Editing service accounts Deleting service accounts

Collecting Access Explorer data

Setting up a managed computer Installing the Access Explorer agent locally Installing the Access Explorer agent remotely

Windows Servers NAS Servers Clusters

Managing managed computers Modifying managed computer properties

Adding a keyword Changing the scan schedule Modifying the scope of a scan

Managing Access Explorer agents

Viewing agent details Changing the service account Adding an agent to a locally-managed computer Adding an agent to a remotely-managed computer Removing a managed computer Restarting an agent Understanding the status of your agent

Viewing Access Explorer objects

Viewing groups and users Viewing computers Viewing resource groups Viewing permissions

Searching Access Explorer servers Using the Access Explorer permission wizard

Changing all permissions Cloning all permissions Deleting all permissions Exporting all permissions Backing up permissions

Setting options for Access Explorer

Working with Microsoft Active Directory

Viewing Active Directory permissions Granting Active Directory permissions Revoking Active Directory permissions Cloning Active Directory permissions Searching for Active Directory objects Modifying Active Directory permissions Modifying group memberships Modifying Active Directory properties Deleting Active Directory permissions Backing up and restoring Active Directory security Exporting Active Directory permissions

Using the Active Directory Export task

Setting options for Active Directory Security

Customizing Security Explorer

Setting general options Setting view options Setting alternate credentials for workgroups Setting alternate credentials for services and tasks Setting alternate credentials NAS devices Setting advanced options Controlling access to Security Explorer

Using the command line

Opening a command prompt window SxpBackup.exe SxpClone.exe SxpExport.exe SxpGrant.exe SxpHomeDir.Exe SxpInheritance.exe SxpOwner.exe SxpRestore.exe SxpRevoke.exe SXPActiveDirectoryBackup

Using PowerShell cmdlets

What are cmdlets? Using Security Explorer cmdlets

Creating or editing the PowerShell.exe.config file Installing Security Explorer cmdlets Installing Security Explorer cmdlets manually Removing Security Explorer cmdlets

Using cmdlets to set up Access Explorer

Creating the Access Explorer database Adding a service account Adding a domain to manage Adding managed computers

Using cmdlets to get information about Access Explorer objects

Getting service account information Getting managed domain information Getting managed computer information Getting security information for a resource Getting resource access information

Using cmdlets to manage Access Explorer agents

Identifying agents on a managed computer Changing the agent configuration on a managed computer Restarting the agent Restarting a single agent Updating an agent Changing the service account password Changing the SQL account password

Using cmdlets to remove Access Explorer objects

Removing a managed computer Removing a managed domain Removing a service account

Troubleshooting

Repairing inheritance Creating test folders and files Using log files SharePoint web service removal fails Uninstalling Security Explorer

Getting managed computer information

Now that there is a managed computer you will want to know the status of the agent and the identification for the managed computer.

An important field to note in the output is the Status field as it provides information as to the status of the agent. For example, if you see the Status is still reporting DeployingAgent 15 minutes after you deployed the agent, then something is wrong as deployment should only take a few minutes.

Get-AEManagedComputers [-ManagedComputerName <String>] [-ManagedComputerId <String>]

In this example, because a managed computer is not specified, the cmdlet returns information on all managed computers.

Get-AEManagedComputers

Agents : {AMER\AMERGENDC S-1-5-21-3504372180-144029308-885861804-1001}

ManagedHostId : f13a510b-dc5d-43f6-815b-0020f3da275d

ManagedHostSid : S-1-5-21-3504372180-144029308-885861804-1001

ComputerSamSid :

ManagedDomainId : da4e1710-f80b-4fc5-84fb-2582f9519995

HostName : AMERGENDC

SamAccountName : AMERGENDC

HostDnsName : AMERGENDC.AMER.amer.sitraka.com

HostDomainName : amer.amer.sitraka.com

Management : Local

Status : DeployingAgent

InternalStatus : Ok

ResourceNodeId : 3

ResourceActivityTrackingSupported : True

In this example, a managed computer is specified, so the cmdlet returns information on only the AMERGENDC managed computer.

Get-AEManagedComputers -ManagedComputerName AMERGENDC

Agents : {AMER\AMERGENDC S-1-5-21-3504372180-144029308-885861804-1001}

ManagedHostId : f13a510b-dc5d-43f6-815b-0020f3da275d

ManagedHostSid : S-1-5-21-3504372180-144029308-885861804-1001

ComputerSamSid : S-1-5-21-2573059503-884258253-2950429726

ManagedDomainId : da4e1710-f80b-4fc5-84fb-2582f9519995

HostName : AMERGENDC

SamAccountName : AMERGENDC

HostDnsName : AMERGENDC.AMER.amer.sitraka.com

HostDomainName : amer.amer.sitraka.com

Management : Local

InternalStatus : Ok

ResourceNodeId : 3

ResourceActivityTrackingSupported : True

In this example, information about the managed computer specified by the ManagedComputerId (also known as the ManagedHostId) is returned.

Get-AEManagedComputers -ManagedComputerId f13a510b-dc5d-43f6-815b-0020f3da275d

Agents : {AMER\AMERGENDC S-1-5-21-3504372180-144029308-885861804-1001}

ManagedHostId : f13a510b-dc5d-43f6-815b-0020f3da275d

ManagedHostSid : S-1-5-21-3504372180-144029308-885861804-1001

ComputerSamSid : S-1-5-21-2573059503-884258253-2950429726

ManagedDomainId : da4e1710-f80b-4fc5-84fb-2582f9519995

HostName : AMERGENDC

SamAccountName : AMERGENDC

HostDnsName : AMERGENDC.AMER.amer.sitraka.com

HostDomainName : amer.amer.sitraka.com

Management : Local

InternalStatus : Ok

ResourceNodeId : 3

ResourceActivityTrackingSupported : True

Getting security information for a resource

All of the components needed for Access Explorer are now in place so now you can start to retrieve security information in the form of the ACL (access control list) about specific resources (shares, folders, and files) on your managed computers. The resource in question is to be in the format \\computer\share\folder\file.ext and wild characters are not permitted. Note that the cmdlet requires not only the computer name, but also the domain in which the computer resides, because the service account for the domain is needed to access the resource.

Get-AEResourceSecurity [-ResourceUri] <String> [-ResType] <String> [-DomainDNSName] <String>

In this example, the cmdlet returns the ACL for the file specified in the ResourceUri parameter.

Get-AEResourceSecurity -ResourceUri \\AMERGENDC\files\SmallClassDataset\test4.txt -ResType Files -DomainDNSName AMER.amer.sitraka.com

O:BAG:DUD:AI(A;ID;FA;;;S-1-5-21-3504372180-144029308-885861804-1106)

(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)

In this example, the cmdlet returns the ACL for the folder specified in the ResourceUri parameter.

Get-AEResourceSecurity -ResourceUri \\AMERGENDC\files\SmallClassDataset -ResType Folders -DomainDNSName AMER.amer.sitraka.com

O:BAG:DUD:AI(A;OICI;FA;;;S-1-5-21-3504372180-144029308-885861804-1106)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)

(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)(A;OICIIOID;GA;;;CO)

In this example, the cmdlet returns the ACL for the share specified in the ResourceUri parameter.

Get-AEResourceSecurity -ResourceUri \\AMERGENDC\Files -ResType Shares -DomainDNSName AMER.amer.sitraka.com

Getting resource access information

In addition to the security information ACL for a resource, you also can get information on who currently has access to the resource. Since the information obtained by the Get-AEResourceAccess cmdlet cannot be read from the command line, you must use the Export-AEResourceAccessAsCSV cmdlet to export the information to a CSV file.

Exporting access information to a CSV file

Export-AEResourceAccessAsCSV [-ResourceAccessResults] <ResourceAccessQueryResults> [-OutputPath] <String> [[-DisplayInheritedSecurity] [<SwitchParameter>]] [[-OptimizeForExcel] [<SwitchParameter>]]

In this example as this cmdlet works in conjunction with the cmdlet used to get access information the first thing and not shown here, is to get some information on a resource stored into a variable, $resourceAccess. The variable is then piped into the Export-AEResourceAccessAsCSV, which outputs the CSV file. In this case the variable is used as an input parameter for the cmdlet and CSV file is optimized for Excel.

$resourceAccess | Export-AEResourceAccessAsCSV –OutputPath "C:\ResourceAccessInfo.csv"

Export-AEResourceAccessAsCSV -ResourceAccessResults $resourceAccess –OutputPath

"C:\ResourceAccessInfo.csv" -OptimizeForExcel

Now that you have seen how to get the information out to a file in any location you wish, let’s look at how to get the access information for a resource. With the cmdlet used to get the access information you can retrieve file, folder, share, and service identity rights.

Get-AEResourceAccess [-ManagedComputerId] <String> [-ResourceType] <ResourceAccessQueryResourceType> [[-Resources] <String[]>] [-ExcludeSubObjectDeviations [<SwitchParameter>]]

In this example, the Get-AEResourceAccess cmdlet gets resource access (folder security) for the folder SmallClassDataset that resides on a locally managed computer with the id f13a510b-dc5d-43f6-815b-0020f3da275d. The results are saved to the $resourceAccess variable, which is then exported to a file using the Export-AEResourceAccessAsCSV cmdlet.

$resourceAccess = Get-AEResourceAccess -ManagedComputerId f13a510b-dc5d-43f6-815b-0020f3da275d -ResourceType Folder -Resources \\AMERGENDC\Files\\SmallClassDataset -ExcludeSubObjectDeviations

$resourceAccess | Export-AEResourceAccessAsCSV –OutputPath "C:\ResourceAccessInfo.csv"

In this example, resource access (folder security) is obtained for two folders, \\AMERGENDC\C$\Test1 and \\AMERGENDC\C$\Test2, that are located on a remotely managed computer with the ID 973c7042-c413-45fb-9f52-057c64d4f800. The results are placed in the $resourceAccess variable and exported to a CSV file using the Export-AEResourceAccess cmdlet.

$resourceAccess = Get-AEResourceAccess 973c7042-c413-45fb-9f52-057c64d4f800 Folder "\\AMERGENDC\C$\Test1","\\AMERGENDC\C$\Test2"

$resourceAccess | Export-AEResourceAccessAsCSV –OutputPath "C:\ResourceAccessInfo.csv"

In this example, resource access (share security) is obtained for the share, Files, that is located on a managed computer with the ID f13a510b-dc5d-43f6-815b-0020f3da275d. The results are placed in the $resourceAccess variable and exported to a CSV file using the Export-AEResourceAccessAsCSV cmdlet.

$resourceAccess = Get-AEResourceAccess -ManagedComputerId f13a510b-dc5d-43f6-815b-0020f3da275d -ResourceType Share -Resources "Files"

$resourceAccess | Export-AEResourceAccessAsCSV –OutputPath "C:\ResourceAccessInfo.csv"

In this example, resource access (security identities) is obtained for the services, TermService (Remote Desktop Services) and SessionEnv (Remote Desktop Configuration), that are located on a managed computer with the ID f13a510b-dc5d-43f6-815b-0020f3da275d. The results are placed in the $resourceAccess variable and exported to a CSV file using the Export-AEResourceAccessAsCSV cmdlet.

$resourceAccess = Get-AEResourceAccess -ManagedComputerId f13a510b-dc5d-43f6-815b-0020f3da275d -ResourceType ServiceIdentity -Resources TermService, SessionEnv

$resourceAccess | Export-AEResourceAccessAsCSV –OutputPath "C:\ResourceAccessInfo.csv"

Output of the Export-AEResourceAccessAsCSV cmdlet

The following is an example of the information in an output CSV file from the Export-AEResourceAccessAsCSV cmdlet.

***********************************

Resource Access Report (CSV Format)

***********************************

"C:\Files - dummy files for scanning\SmallClassDataset"

"Uri","C:\Files - dummy files for scanning\SmallClassDataset",

"DisplayName","",

"ResourceType","NTFS\Folder",

DataRoot,"True"

TrusteeName,TrusteeSid,TrusteeType,"Rights","RightType","Inheritance","AppliesTo","Explicit",

"CREATOR OWNER","S-1-3-0","WellKnownGroup","Full Control","Allow Access","Inherited","Subfolders and Files Only","False",

"NT AUTHORITY\SYSTEM","S-1-5-18","WellKnownGroup","Full Control","Allow Access","Inherited","This Folder, Subfolders, and Files","False",

"RPTCH\ABARCAK","S-1-5-21-3504372180-144029308-885861804-1106","User","Full Control","Allow Access","Explicit","This Folder, Subfolders, and Files","True",

"BUILTIN\Administrators","S-1-5-32-544","Alias","Full Control","Allow Access","Inherited","This Folder, Subfolders, and Files","False",

"BUILTIN\Users","S-1-5-32-545","Alias","Create Files / Write Data","Allow Access","Inherited","This Folder and Subfolders","False",

"BUILTIN\Users","S-1-5-32-545","Alias","Create Folders / Append Data","Allow Access","Inherited","This Folder and Subfolders","False",

"BUILTIN\Users","S-1-5-32-545","Alias","Read And Execute","Allow Access","Inherited","This Folder, Subfolders, and Files","False",

*****************End********************

Using cmdlets to manage Access Explorer agents

You use Security Explorer to install the Access Explorer agents, but you can manage the installed agents using the Access Explorer cmdlets.

•

Identifying agents on a managed computer

•

Changing the agent configuration on a managed computer

•

Restarting the agent

•

Updating an agent

•

Changing the service account password

•

Changing the SQL account password

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center