Remove "everyone" permissions in bulk (web client)
Background / Value
If "Everyone accounts" are used for the assignment of access rights, (almost) everyone has access to the connected resources. The consequence is an excessive assignment of access rights and a high probability for unauthorized access. These go against the principle of least privilege and should therefore not be used. Before deleting permissions you should assign specific groups to the appropriate resources.
"Everyone accounts" are:
- Everyone
- Authenticated Users
- Domain-Users
Related features
Report: Identify usage of "Everyone" (rich client)
Report: Identify usage of "Authenticated Users" (rich client)
Step-by-step process
- Select "Analysis".
- Select the category "Directories".
- Click "Globally accessible directories".
- Select security principals.
You can add one additional group. This is very useful for "catch-all" groups, e.g. "mycompany-complete".
The scenario only considers direct access control entries (ACEs). Group nesting is not resolved.
- Select the file servers.
- Start the calculation.
- Access Rights Manager lists all globally accessible directories.
- Use sorting, filtering, grouping and column selection to locate the desired rows.
- Select the desired entries.
- Click "Remove ACE".
- Leave a comment.
- Click "Execute Action".
The job will be transferred to the Access Rights Manager server and executed there. You can find the status in Jobs overview.