Hmm...
Not sure this is what you're looking for, but DSACLS will give that information to you. If you don't set permissions with it, it can report the current permissions. But it's a lot of information to wade through even when you're done. I think if you wanted to script it, you'd want to shove the results into a DB so you could report on it in a way that makes more sense for what you're trying to accomplish. Keep in mind that there are a lot of rights out there so your reporting could be complex if you try to take the data out of the AD and put it into something else.
Perhaps somebody else has found something more elegant?
On 5/18/06, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:
Is there a tool or script that will allow me to query all of the groups in AD and find those with particular security rights? For example, I would like to be able to view all of the groups that can reset passwords or query for all groups that can create groups. I am not savvy with scripting so any links to existing scripts or step-by-step instructions would be appreciated.BONNIE POHLSCHNEIDER
