Trying to understand what you want... (1) you have a group, that group has been given permissions on objects in AD (the domain) and you want to know to which objects through a tool/script (2) you have a group and someone configured the DACL/SACL on that group and you want to know the DACL/SACL on that group through a tool/script If (1) use DSREVOKE (http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383&DisplayLang=en) see the output: D:\TECHNICAL\MicrosoftTooling\DSRevoke>dsrevoke.exe /?
Usage: dsrevoke /report|/remove [/domain:<domainname>] [/username:<username>]
[/password:<password>|*] [/root:<domain/OU>] <securityprincipal>
/report: Only reports the ACEs that have been set for the given
principal on all domain and OU objects under root
/remove: Reports and then removes (after confirmation) the aces
for the given principal
/domain: Dns OR Netbios name of domain
(must be specified when <securityprincipal> is in domain other
than default or if alternate credentials are provided)
/username: Username if alternate credentials must be specified
/password: * will prompt for password
/root: Root OU to start search for ACEs. If not specified will
default to the specified domain's default naming context (The
root domain or OU must be specified using x500 format; if the
dn must include spaces enclose the option in quotes,e.g. "/root:..")
<securityprincipal>: Domain\User or Domain\Group for the security
principal being looked up
If (2) use DSACLS
jorge
________________________________
From: [EMAIL PROTECTED] on behalf of Carerros, Charles
Sent: Thu 2006-02-16 15:47
To: '[email protected]'
Subject: [ActiveDir] Delegration of Administration
Does anyone have script or method of identifying what permission is set to a
security group through Delegation of Administration. I was hoping to find a
quick way of evaluating the security so that I can revamp our system.
Thanks,
Charlie
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
<<winmail.dat>>
