Help! How do I see what OS management rights a Group has?

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

Hi,
I am trying to figure out how I can see what rights a specific group
has in an active directory domain. Not what rights the group has to a
file system but what OS rights they have.

I am taking over management of a domain that I didn't build. It is a
windows 2000 domain with active directory (I have previously only
managed NT domains). There are several users put into several different
groups. HelpDesk, Assistants, CallCenter, etc, etc. I am trying to go
back and document what rights HelpDesk and the other groups were
assigned at creation. I thought most rights would be assignsed from
'local security settings' but I don't see the information I am looking
for in there. For example, I know users in 'Help Desk' can reset/change
passwords from testing with their IDs (and help desk isn't part of a
built in like account operators). Is there somewhere in a gui or a
command line option to list all rights a group was given at creation?

If I click on the group properties I only see, members, members of,
etc.

Thanks for any advice!
M
3 answers Last reply
More about help management rights group
  1. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

    The situation is really no different in post-NT4 compared to NT4.

    The systems may be called on to show what constitutes a group, or
    what group(s) are given specific grants, but not to invert the inquery
    and show all grants given to a specific group.

    For that, given that you are not in a position to do the right thing
    and address this with design, implementation practices, and change
    control (i.e. with doc capture/update), you are in a position where
    you need to recurse over all (likely first) securable objects in order
    to start to answer your question. AD objs/attribs, NTFS, reg, COM+,
    user rights, etc. does not matter, you will have to enumerate over them
    and correlate the grants (or buy a product)

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    <gretzkygirl44@yahoo.com> wrote in message
    news:1116881001.153509.291750@g43g2000cwa.googlegroups.com...
    > Hi,
    > I am trying to figure out how I can see what rights a specific group
    > has in an active directory domain. Not what rights the group has to a
    > file system but what OS rights they have.
    >
    > I am taking over management of a domain that I didn't build. It is a
    > windows 2000 domain with active directory (I have previously only
    > managed NT domains). There are several users put into several different
    > groups. HelpDesk, Assistants, CallCenter, etc, etc. I am trying to go
    > back and document what rights HelpDesk and the other groups were
    > assigned at creation. I thought most rights would be assignsed from
    > 'local security settings' but I don't see the information I am looking
    > for in there. For example, I know users in 'Help Desk' can reset/change
    > passwords from testing with their IDs (and help desk isn't part of a
    > built in like account operators). Is there somewhere in a gui or a
    > command line option to list all rights a group was given at creation?
    >
    > If I click on the group properties I only see, members, members of,
    > etc.
    >
    > Thanks for any advice!
    > M
    >
  2. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

    User rights/privileges will vary depending on the computer a user is logged
    onto. User rights/privileges can be assigned in Local Security Policy or at
    the domain/Organizational Unit level. For domain controllers look at Domain
    Controller Security policy for user rights and keep in mind that in Windows
    2000 that if the "effective" setting is different from the local setting
    then a higher level policy is overriding the local policy. The tool whoami
    will show the user rights when a user is logged onto a particular computer.

    As far as the Help Desk users, they have been "delegated" permissions to an
    Active Directory container that contains the user accounts they can manage.
    There is no easy way to find out the delegated permissions other than to
    view the permissions [including advanced page] of the AD container such as
    an Organizational Unit. It may help to compare permissions to a freshly
    created OU created under the domain container to compare permissions to. You
    will also find the Group Policy Management Console immensely helpful in
    managing and troubleshooting Group Policy and security policy is a subset of
    Group Policy computer configuration. If you have an XP Pro computer in the
    domain you can install it on that computer to use to manage Group Policy for
    the domain. Of course that computer would need to be a secured admin
    workstation as you will have to logon as a domain admin. --- Steve

    http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC

    <gretzkygirl44@yahoo.com> wrote in message
    news:1116881001.153509.291750@g43g2000cwa.googlegroups.com...
    > Hi,
    > I am trying to figure out how I can see what rights a specific group
    > has in an active directory domain. Not what rights the group has to a
    > file system but what OS rights they have.
    >
    > I am taking over management of a domain that I didn't build. It is a
    > windows 2000 domain with active directory (I have previously only
    > managed NT domains). There are several users put into several different
    > groups. HelpDesk, Assistants, CallCenter, etc, etc. I am trying to go
    > back and document what rights HelpDesk and the other groups were
    > assigned at creation. I thought most rights would be assignsed from
    > 'local security settings' but I don't see the information I am looking
    > for in there. For example, I know users in 'Help Desk' can reset/change
    > passwords from testing with their IDs (and help desk isn't part of a
    > built in like account operators). Is there somewhere in a gui or a
    > command line option to list all rights a group was given at creation?
    >
    > If I click on the group properties I only see, members, members of,
    > etc.
    >
    > Thanks for any advice!
    > M
    >
  3. Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

    "gretzkygirl44" wrote:
    > Hi,
    > I am trying to figure out how I can see what rights a specific
    > group
    > has in an active directory domain. Not what rights the group
    > has to a
    > file system but what OS rights they have.
    >
    > I am taking over management of a domain that I didn't build.
    > It is a
    > windows 2000 domain with active directory (I have previously
    > only
    > managed NT domains). There are several users put into several
    > different
    > groups. HelpDesk, Assistants, CallCenter, etc, etc. I am
    > trying to go
    > back and document what rights HelpDesk and the other groups
    > were
    > assigned at creation. I thought most rights would be assignsed
    > from
    > 'local security settings' but I don't see the information I am
    > looking
    > for in there. For example, I know users in 'Help Desk' can
    > reset/change
    > passwords from testing with their IDs (and help desk isn't
    > part of a
    > built in like account operators). Is there somewhere in a gui
    > or a
    > command line option to list all rights a group was given at
    > creation?
    >
    > If I click on the group properties I only see, members,
    > members of,
    > etc.
    >
    > Thanks for any advice!
    > M

    Hi,

    Turn on advanced features and view the Security Rights on the OUs and
    GPO’s. That, and maybe NTFS file permissions, would be the only reason
    for creating separate groups.

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-Help-OS-management-rights-Group-ftopict376332.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1227263
Ask a new question

Read More

Domain Management Microsoft Active Directory Windows