Users Admin Group in WS 2012

Similar Messages

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• Delegated user admin and export Roles&Groups ?

  Hi experts,
  I'am searching some tips in order to allow my users's delegated user admin group to export UME Roles and Group. however, my users met no problem to assign their roles to themselves
  I'am working on EP 7.0 sp14 and my UME is an abap system
  Can you give me some advice to go out from this issue ?
  Best regards,

  Hi experts,
  I'll try to complete my question:
  I've added Batch action to my delegated user role, but it's not enough to perform export operation.
  I hope if i can find a combination of actions without "Manage ALL" that i can assign to my delegated user role.
  Best regards,

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• User Accounts in Domain Admins group do not have full administrative rights to the server

  Our server was fine until recently one day we lost admin access for admin user accounts. If we log in to the server with the Domain Admin account, this account has full admin access to the server and can install and launch all programs and even all server
  admin tools. If we log into the server with a user account which is in the Domain Admins group, that account cannot install software or launch Services.MSC. Even IE will not load any page and crash with a "Not Responding" Error.
  The server has no viruses we even ran SFC /SCANNOW and it did repair from corrupted files but that didn't fix the issue.
  Any ideas?

  Hi Rick,
  May be UAC is blocking installtion. Have it disabled and see if it helps.  Ensure you have domain admin groups added into local administrators group.
  Alos Check these links please.
  https://social.technet.microsoft.com/Forums/en-US/b5300f28-6a2a-4760-8b80-97a2da0f87c1/2012-domain-admin-user-cannot-install-programs-on-a-domain-windows-7-pc?forum=winserverDS
  https://social.technet.microsoft.com/Forums/en-US/0ca040de-52ac-4259-bf78-c22436fd04d4/domain-users-with-domain-admins-right-cannot-install-programs-or-open-server-manager?forum=winserverDS
  Thanks,
  Umesh.S.K

• I have two users listed in my admin group. How do I get rid of one?

  I have two users listed in my admin group, but the undesired one doesn't show up in users and groups settings pane. How do I get rid of it?

  Well, I found a link which showed me how to find the hidden/unwanted user and get rid of it (remove hidden users: Apple Support Communities). Now when I get info from the drive on my network I find this:
  Is this normal? I would expect to find something other than (unknown).

• Local admin vs user placed in local admin group

  what are the differences between the built-in and the user placed in the admin local group
  .  I noticed when installing Cisco's AnyConnect 3.x client as a user who has been elevated to the local admin group  that when the install is complete the settings only apply to the specific user used during the install as opposed to when the built-in
  admin (I am aware of the option for this) ...my question is  are there any window applications that require well known security identifiers (sid).
  or
  simply put what are the differences between the built-in and the user placed in the admin local group..I experienced differences and wanted to know where I can get more information

  Hi,
  Their are some subtle differences. The built-in administrator account SID is well known forprogramming logic by 3rd parties.
  For the built-in admin, UAC is disabled by default. That means that the built-in admin never requires elevation. But, as we all know, UAC can be turned off by the user so even when an admin user launches a program, he will be elevated automatically.
  The built-in admin account cant be deleted (though it can be disabled).
  Karen Hu
  TechNet Community Support

• Admin Console not displaying new Users and Groups from LDAP

  We created a new Realm in WebLogic, which specifies the location of the Netscape
  LDAP server. Our Weblogic application, called TGSLC, is able to find the ldap
  server to use for authentication. My problem is this- the Admin Console is not
  displaying the new users and groups from the LDAP server. Shouldn't the WebLogic
  Admin Console display any users and groups specified in the ldap server, which
  is referenced in the customized Realm?

  Hi Andy,
  I am not sure why you are unable to see the users and groups through the
  console., you should be able to. Can you post the config.xml?
  thanks,
  -satya
  Andy Levy <[email protected]> wrote in message
  news:3b700c36$[email protected]..
  >
  We're running WLS 6.0 Sp2 on Windows 2000 Professional.
  "Satya Ghattu" <[email protected]> wrote:
  Andy,
  Could you please tell us what Version of Weblogic you are running?
  thanks,
  -satya
  Andy Levy <[email protected]> wrote in message
  news:[email protected]..
  We created a new Realm in WebLogic, which specifies the location ofthe
  Netscape
  LDAP server. Our Weblogic application, called TGSLC, is able to findthe
  ldap
  server to use for authentication. My problem is this- the Admin
  Console
  is not
  displaying the new users and groups from the LDAP server. Shouldn'tthe
  WebLogic
  Admin Console display any users and groups specified in the ldap
  server,
  which
  is referenced in the customized Realm?

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.

• List users in local admin group on all workstations

  Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
  that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
  csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
      $CurrentDate = Get-Date
      $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
      import-module activedirectory
       $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
       $output = "c:\temp\local admin audit $CurrentDate.csv"
       $results = @()
       $servers | ForEach-Object{
      $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
      $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
      $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
      $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
      $group =[ADSI]"WinNT://$_/Administrators,group"
      $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
      if($wmi)
         New-Object PSObject -Property @{
             DistinguishedName = (Get-ADComputer $_).DistinguishedName
             Server = $_
             Members = $members -join ";"
      } | Export-Csv $Output -NoTypeInformation

  I agree use GP it is more reliable and easier to manage.
  For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
  There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
  $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
  import-module activedirectory
  #adjust Filter as needed
  $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
  Get-AdComputer -Filter $adfilter |
  ForEach-Object{
  $props=@{
  Server=$_.Name
  IsAlive=$false
  DistinguishedName=$_.DistinguishedName
  Members=$null
  if(Test-Connection $_.Name -Count 1 -Quiet){
  $props.IsAlive=$true
  $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
  $members=$group.Members() |
  ForEach-Object{
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  $props.Members=$members -join ";"
  New-Object PSObject -Property $props
  } |
  Export-Csv $csvfile -NoTypeInformation
  Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
  ¯\_(ツ)_/¯

• Add Local Users to the Local Admin Group

  I am looking either via GPO or Third Party Tool.  I would like to add 6 Users to the Local Admin Groups on all the computers running Windows 7/8.  I want to Create a Group called "OUR Local Admins" and add these 6 local users (Not domain
  Users) to this Group and then nest this Group into the Local Admin Group Built-in into Windows 8
  Thank u

  > local users (Not domain Users) to this Group and then nest this Group
  > into the Local Admin Group Built-in into Windows 8
  You cannot nest local groups.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Impossible to unlock network-admin, services, users and groups

  Hi all,
  it is impossible to unlock network-admin, services, users and groups in gnome.
  Suggestions or ideas?
  Thanks in advance
  Greets

  alessandro_ufms wrote:
  xaiviax wrote:Just fyi, rebuilding system-tools-backends with ABS does not fix issue for me.
  Are you put your login user on group stb-admin, put stbd in DAEMONS on rc.conf and restart the computer?
  yes, although didn't have stbd in DAEMONS before (worked fine), still didn't fix issue.  Been watching this thread, just downgraded package again, works great.  I'd rather not downgrade on principal, but that the only thing that works for me currently, so...

• Unable to initialize LDAP (No LDAP server is configured)show in the admin server of iWS6.0 users and group

  When I goto web server administration in users and group tab it alway show me Unable to initialize LDAP (No LDAP server is configured) Is it cause the effect to use web server because I use iWS with ias .
  If it cause some effect ,Please let me know how to configured LDAP server.

  Run this Command from the Exchange Server
  Net time \\ADServerName /Set
  and confirm the action,
  and then you need to restart the service
  Microsoft Exchange Active Directory Topology Service
  and confirm you are not getting the Error 4001 in the event Viewer.
  Thank you, it resolved my issue after being sweating looking for solution.
  How can I prevent this from happening? I cannot restart services on each server reboot nor lose 5 years of my life!!!
  Sokratis Laskaridis MCP, MCTS, MCITP, Small Business Specialist Netapp ASAP, Symantec STS

• Removed user from group, user no longer has access to documents even though user is owner of documents

  I'm running a server 2012 std domain and I'm in the process of rebuilding our fileserver after we had some pretty serious permission issues. Bad permissions (Everyone had full access to user documents share) were migrated when we move to the new server and
  then by some strange Monday morning freak out all users lost access to their documents. I restored from backups, redirected everyone's folders back to local computer and started to reconfigure the share permissions. I moved our administration group back to
  the server after securing proper permissions for folder redirection (permissions copied from https://technet.microsoft.com/en-us/library/jj649078.aspx?f=255&MSPPError=-2147217396 table 1, only difference is instead of creating a new security group
  for redirection users, I used the everyone group) to test and everything went perfectly. The GPO created the users folders under the root and redirection was good to go. Along with that, other users cannot access other users documents anymore which was the
  intended outcome. 
  Last night I was looking at security groups and see that our administration group (back office group: accounting, HR, etc..) was a member of the domain admins. I removed them from the domain admins group and added them to the administrators group (they do
  need regular admin access) then went on like normal. This morning, all users in that group can no longer access their documents on the server. I immediately think that permissions were broken again and started to get angry, but then realize that all the files
  are still accessible on the server (no lost permissions like before) and the user is still shown as the owner with full permissions, but the files are inaccessible to those users. I re-added them to the domain admins group, logged out, logged back in and documents
  are back and accessible by the user. Remove them from the domain admins group, log out, log back in and the documents are inaccessible again. Re-add to the domain admins group and back to normal. 
  Which leads me to now. If the users are part of the domain admins group, they have access to their files. If they are removed from the domain admins group, they lose access. When they lose access, they are still the owners of the files/folders with full
  permissions, yet they can't access their documents. Also, just to add, the domain admins group has no specified permissions on the files or folders. See screenshots below..
  Here is the root share. 
  And the user's desktop folder. The folder is owned by the user with full permissions. This is the folder the redirection GPO created.
  Any ideas why removing the group from domain admins would drop access to their files? They are still the owners of the files and should have full access but they don't. Is there something I'm not seeing here?

  Effective Access shows the user has full control of the Desktop folder
  This is a problem with the Effective Access tab when using CREATOR OWNER.  As you have noticed, the user doesn't really have the access that the tab says it does.  This is because of how CREATOR OWNER works.
  CREATOR OWNER is only evaluated when a file/folder is created. 
  IF a user can create a file/folder, then the permissions assigned to CREATOR OWNER are copied to a new permissions entry for that user.
  To see this:
  Logon as an administrator and create a file in the Desktop folder in your screenshot.
  Examine the permissions of the new file.
  You'll see that there is a new entry for the account you logged on with.
  CREATOR OWNER is gone.  CREATOR OWNER would still be there if you created a folder (because of "subfolders and files").
  In the Desktop folder (in your screenshot), only SYSTEM and Administrator can create/access files.
  To fix this, you need to grant the users the ability to list the directory contents and create new files/folders.  This corresponds with the suggestion of Table 1 in the document you found.
  I see what you're saying about Administrators domain group. I'll just add them as local admins via GPO and that should solve that issue. 
  No, scary!  This will grant those users administrative permission on your server.  They will be able to see any file anywhere on that server.
  If your goal is to provide a place that is private for each user, then the simplest approach is to grant each user permission to their own folder.  Like this for Test User:
  Notes for above:
  I set the user's permission to Modify because there is no good reason why the user should change these permissions
  The owner of this folder is unimportant.  I leave it set to Administrators
  You can, and I do, remove CREATOR OWNER.  It adds no value in this situation and just causes confusion.
  As for the second screen shot, the *-Admins folder is the root to which Everyone has special permissions on and can create folders. The folder for M* was created by the GPO, which makes M* the owner to which they have Full control of subfolders and files.
  The GPO also created the Desktop folder, giving owner full permissions of subfolders and files. Inside the Desktop folder, permissions remain Full control for owner for subfolders and files. Even if it was the case that they only had permissions on subfolders
  and files, wouldn't each subfolder under that one be considered a subfolder and file of the top folder?
  If this works as you say, then Yes, it should work.  But, I don't see the entries for use M*.  Remember, there should be entries for the M* user that is a duplicate of CREATOR OWNER.
  I suspect that Group Policy is creating the directories (elevated) and then changing the owner to M* afterward.  This does not duplicate the CREATOR OWNER entries as needed.  If this is the case, I consider it a flaw because your permissions do
  not allow user M* to create files/folders, and group policy shouldn't bypass security.
  I'm not saying your wrong, I'm just curious why the technet article would advise Creator/Owner giving full control of subfolders and files only if that were not correct. I can add the permissions for the users easily, I just don't see why I need to give
  explicit permissions to access something when the GPO created those folders for me, which Microsoft recommends you allow. If the GPO can create folders and the folders are owned by the user, then the user can obviously add/create/modify/view those files and
  folders. 
  When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
  A couple things:
  The article instructed the use of Folder Redirection Users group that had permissions to create files.  Your examples didn't have that.  Because of this, your user could create new files.
  The article assumes that the directories you are creating will be empty.  Existing files will be unreadable to everyone except Admins.
  If you follow the directions in the article, then anyone in the Folder Redirection Users group can write files to anyone else's directory.
  One benefit of the document's approach is that all the users could be redirected to the same folder using the article, and it would work.  A benefit, I guess.
  But, I like my user's separate and unable to see each other's files -- at all.  This is why I recommend replacing CREATOR OWNER with the specific user.
  I believe this document is a "how to get it done" document, not necessarily a best practices document.  I see it as a starting point, and that's why I didn't follow it exactly.
  Lastly, CREATOR OWNER permissions are useful but confusing.  I avoid them unless I have the rare circumstance where they are perfect.
  When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
  To summarize:
  In the user's directory, you need to provide permission to list and create new files/folders, and you need grant the user permission to the existing files.
  -Tony

• What third party tools exist to show a user or groups permissions and access rights for an entire SharePoint 2010 site collection?

  Our admin crew has just inherited a 4 year old SharePoint site that was developed on SP 2007 and later migrated to SP 2010.  We are trying to determine which users and groups have access to the 150+ sub-sites of the site and at what permission levels.
  Research tells me SharePoint 2010 has no means to simply list out a user's permission levels over an entire site collection, but that it must be done at each sub-site, list & library that has permission inheritance broken to create a unique permissions
  object.
  Has anyone found a solution to this issue?  Without days of research at each sub-site, list & library, how would one more economically go about such an investigation of a user's permissions on an entire SharePoint 2010 site?

  Hello,
  There is no direct way to see user and group broken permission within a site collection. However you can write powershell script to get the permission. You can modify the below script based on your need and export result in CSV. You may also need to add
  code to iterate all subsites within site collection.
  http://social.technet.microsoft.com/wiki/contents/articles/14242.sharepoint-2010-export-all-unique-permissions-from-site-collection-using-powershell.aspx
  http://en.community.dell.com/techcenter/windows-management/b/weblog/archive/2012/09/25/sharepoint-security-reporting-using-powershell
  Codeplex tool is also available to check permission but it is not always fulfill business need. You may also look at this if it suits you.
  https://permissionsmanager.codeplex.com/ 
  Hope it could help
  Hemendra:Yesterday is just a memory,Tomorrow we may never see<br/> Please remember to mark the replies as answers if they help and unmark them if they provide no help