Answer to your question: YES, that's why you should assign permissions to groups and not to individual accounts
DSREVOKE Dsrevoke is a command-line tool that can be used on domain controllers that are running Windows Server 2003 or Windows 2000 Server to report the existence of all permissions for a specific user or group on a set of OUs in a domain and optionally remove from the DACLs of a set of OUs all permissions specified for a particular user or group. http://www.microsoft.com/technet/abouttn/subscriptions/flash/tips/tips_12070 4.mspx http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda- b0e4-c2093b8d6383&DisplayLang=en By the way: DSREVOKE only works for the default domain naming context As you can see there is no native tool available to see all delegations in one step in AD ACLDIAG en DSACLS can help what permissions have been configured on an object (e.g. OU) in AD. The opposite of DSREVOKE (view the permissions for a security principal in the default namong context) Cheers, #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 5/24/2005 1:25 PM Subject: [ActiveDir] delegate control in AD Dumb question: If I delegate control for a group of users to reset passwords - shouldn't I then be able to add someone to that group and then that someone can reset passwords?! Also, is there a way to view what delegations have been done so far? Active Directory 2003/ Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <http://www.valassis.com/> http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
