Yep, this is a PITA in Windows. It is why you should have
really good process and standards around ACLing. Thing is most people don't
think about it until after they are in trouble.
Take a look at the script at http://rallenhome.com/books/ad3e/source/ch_26_list_aces.vbs.txt,
it shows you how to list the ACEs out, you could modify this to output into a
CSV format and/or just dump expicit ACEs which will narrow down the actual
number of ACEs you have to look at.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Friday, May 19, 2006 8:42 AM
To: [email protected]
Subject: Re: [ActiveDir] Search AD for groups that have specific rights
Hmm...
Not sure this is what you're looking for, but DSACLS will give that
information to you. If you don't set permissions with it, it can report the
current permissions. But it's a lot of information to wade through even
when you're done. I think if you wanted to script it, you'd want to
shove the results into a DB so you could report on it in a way that makes more
sense for what you're trying to accomplish. Keep in mind that there are a lot of
rights out there so your reporting could be complex if you try to take the data
out of the AD and put it into something else.
Perhaps somebody else has found something more elegant?
On 5/18/06, [EMAIL PROTECTED]
<
[EMAIL PROTECTED]> wrote:
Is there a tool or script that will allow me to query all of the groups in AD and find those with particular security rights? For example, I would like to be able to view all of the groups that can reset passwords or query for all groups that can create groups. I am not savvy with scripting so any links to existing scripts or step-by-step instructions would be appreciated.BONNIE POHLSCHNEIDER
