Remove "everyone" permissions in bulk (web client)

Background / Value

If "Everyone accounts" are used for the assignment of access rights, (almost) everyone has access to the connected resources. The consequence is an excessive assignment of access rights and a high probability for unauthorized access. These go against the principle of least privilege and should therefore not be used. Before deleting permissions you should assign specific groups to the appropriate resources.

 

"Everyone accounts" are:

  • Everyone
  • Authenticated Users
  • Domain-Users

 

Related features

Report: Identify usage of "Everyone" (rich client)

Report: Identify usage of "Authenticated Users" (rich client)

 

Step-by-step process

  1. Select "New analyze session".
  2. Click "Globally accessible directories".

 

  1. Select security principals.
    You can add one additional group. This is very useful for "catch-all" groups, e.g. "mycompany-complete".

The scenario only considers direct access control entries (ACEs). Group nesting is not resolved.

  1. Select the file servers.
  2. Start the calculation.

 

E049-05 EN Jeder Berechtigungen im Bulk entfernen

  1. ARM lists all globally accessible directories.
  2. Use sorting, filtering, grouping and column selection to locate the desired rows.
  3. Select the desired entries.
  4. Click "Remove ACE".

 

E049-06 EN Jeder Berechtigungen im Bulk entfernen

  1. Leave a comment.
  2. Click "Execute Action".

The job will be transferred to the ARM server and executed there. You can find the status in Jobs overview.