Check out Dsrevoke.exe:
http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383&DisplayLang=en
From the docs and stuff..
Dsrevoke is a command-line tool that can be used on domain controllers that
are running Windows Server 2003 or Windows 2000 Server to report the
existence of all permissions for a specific user or group on a set of OUs in
a domain and optionally remove from the DACLs of a set of OUs all
permissions specified for a particular user or group.
Dsrevoke complements the functionality provided by the Delegation of Control
Wizard, which is used to delegate administrative authority, by providing the
ability to revoke delegated administrative authority.
<snipped some guidelines to delegation in the first place>
If you follow these delegation guidelines, you can use Dsrevoke to easily
and reliably undelegate authority. Simply run Dsrevoke in the domain,
providing as input the name of the specific security group used to represent
the delegated role, and use the /report switch to verify the existence of
all explicit permissions for that security group that have been set on all
OU objects in the domain . Once you have reviewed the reported permissions,
you can use the /remove switch to revoke all permissions granted to that
security group, thereby revoking the delegated authority.
spat
----- Original Message -----
From: "Lamberty, Dave" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, August 04, 2005 5:41 PM
Subject: RE: [ActiveDir] Biggest AD Gripes
I would love to see some better tools related to delegation, or rather,
'un-delegation.' It's relatively easy to delegate AD permissions, but
somewhat more difficult to remove them (or even view what's been delegated
already). Some sort of Delegation Viewer or Un-Delegate tool would be very
welcome.
Integration with Exchange would be great too. I'm new to Exchange, and it's
been challenging for me to figure out what permissions some of the other
admin staff really need to manage users' Exchange mailboxes.
--Dave
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of joe
Sent: Tue 8/2/2005 11:24
To: [email protected]
Subject: [ActiveDir] Biggest AD Gripes
So what are everyone's biggest AD Gripes? I am not talking about gripes
about things that use AD like GPOs[1] or Exchange or NFS or anything else
like that. I mean actual AD really missed the boat because of this that or
the other thing.
Like
o I dislike that when you defunct an attribute it doesn't purge the
information in the directory for that attribute.
o The fact that AD Security policy is managed through a technology dependent
on AD and replicates both within AD and the other technology.
o I dislike that there is no true schema delete.
o I dislike the fact that I can't specify which branches of the tree
replicate where.
o I dislike the fact that GUIDs are represented in multiple ways in the
directory.
o I dislike the implementation of property sets especially since they could
be so incredible awesomely cool. Specifically I dislike that an attribute
can only be in a single property set.
o I dislike creator/owner on SDs.
o I dislike the lack of configurable business rules.
o I dislike the fact that I can't run multiple domains on a single domain
controller.
Etc etc. I have more but lets see what others say. Everyone pipe up. Let's
pretend that MS will actually see this, let's further say let's pretend MS
AD Developers will see this. What would you tell them if you were sitting in
the room with them?
joe
[1] I do not consider GPOs to be part of AD. They are a technology that
leverages AD.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
