We have an extra global group that was created either during an upgrade of a particular product or during a recovery. How can we determine whether this global group is currently in use? I was able to search all of our local Administrator accounts on our servers and found one instance where this account was used. I can also scan entire drives to search for ACEs. I'd still be uncertain if the account is used to grant access to a database or a network share or NTFS permissions on that share. Is there a method to determine whether a group has been granted access somewhere besides scanning every possible object for permissions?

Hello, As far as I know, we do not have a tool which could list all the permissions that a user or group has on files, database, AD objects, etc, without enumerating the permissions on each object. There is a sysinternal tool that can help to enumerate permissions on the file system. AccessEnum v1.32 http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx ShareEnum v1.6 http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx For your reference: Group scope http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx Group Type and Scope Usage in Windows http://support.microsoft.com/kb/231273

What is the recommended way for consolidating global groups? Is it possible to use SID History?

Theoretically, you can add the SID of a user group to another user group. You may perform a test by using the DsAddSidHistory function to see whether it works. http://msdn2.microsoft.com/en-us/library/ms675918.aspx The DsAddSidHistory function gets the primary account security identifier (SID) of a security principal from one domain (the source domain) and adds it to the sIDHistory attribute of a security principal in another (destination) domain in a different forest. When the source domain is in Windows 2000 native mode, this function also retrieves the sIDHistory values of the source principal and adds them to the destination principal's sIDHistory. Adding SIDs to a security principal's sIDHistory is a security-sensitive operation that effectively grants to the destination principal access to all resources accessible to the source principal, provided that trusts exist from applicable resource domains to the destination domain The SIDHistory attribute is owned by the system so that we cannot write the attribute directly. The SIDHistory attribute is modified by the DsAddSidHistory function. The DsAddSidHistory function retrieves the primary account security identifier (SID) of a security principal from one domain and adds it to the sIDHistory attribute of a security principal in another domain in a different forest. When the source domain is in Windows 2000 native mode, this function also retrieves the sIDHistory values of the source principal and adds them to the destination principal sIDHistory. The DsAddSidHistory function performs a security-sensitive function by adding the primary account SID of an existing security principal to the sIDHistory of a principal in a domain in a different forest, effectively granting to the latter access to all resources accessible to the former. For more information about the DsAddSidHistory function, please access the following web :DsAddSidHistory http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/dsaddsidhistory.aspLaura Zhang - MSFT