Finding Delegated users ,,,Need Imd Help

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi All,
Anyone know how to search for users whom the administrator have delegated
rights to create,delete...etc
My Administrator has moved to diff department,I have taken over and as a
security concern I would just want to check these,can somebody help me on
this..
Thanks
San

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If you are asking about what might have been delegated to certain users ( or
better, to certain groups ) via the Delegation Wizard - or manually, for
that matter - then there is no way to 'know' this other than going to each
object ( probably the OU..... ) and looking.

I am sure that there are some tools out there ( go to
http://www.joeware.net ) and look there for any tools that he might have
written to handle this ( I know that there is but am a bit tired
today..... ).

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"santosh" <santosh@discussions.microsoft.com> wrote in message
news:3D5A5E7F-0956-4759-92EB-079CD9581134@microsoft.com...
> Hi All,
> Anyone know how to search for users whom the administrator have delegated
> rights to create,delete...etc
> My Administrator has moved to diff department,I have taken over and as a
> security concern I would just want to check these,can somebody help me on
> this..
> Thanks
> San
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"santosh" wrote:
> Hi All,
> Anyone know how to search for users whom the administrator
> have delegated
> rights to create,delete...etc
> My Administrator has moved to diff department,I have taken
> over and as a
> security concern I would just want to check these,can somebody
> help me on
> this..
> Thanks
> San

Hello,

If you know which groups/users have been delegated permissions but you
don’t know where, you could use DSREVOKE from MS (google for it and
you willl find it)

Another way to search is to search for all defined permissions on OUs
using ADFIND from JOEWARE.NET

adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
"(objectCategory=OrganizationalUnit)" -sddc ntsecuritydescriptor

With this command you can get the security descriptors but they are in
SDDL format and you need to convert that to human readable text.
I at the moment don’t know how to do that, but maybe the guy at
joeware.net know.

For more info on SDDL see
http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html

Cheers

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-Finding-Delegated-users-Imd-Help-ftopict549240.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1738135

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Jorge,

I was thinking about adfind. Was also thinking about DSACL.......I am just
very tired ( little one is teething and not getting a lot of sleep ) so
things are a little less than clear for this old man!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1738135_acc967bdf4bae6d031b544007e91c221@windowsforumz.com...
> "santosh" wrote:
> > Hi All,
> > Anyone know how to search for users whom the administrator
> > have delegated
> > rights to create,delete...etc
> > My Administrator has moved to diff department,I have taken
> > over and as a
> > security concern I would just want to check these,can somebody
> > help me on
> > this..
> > Thanks
> > San
>
> Hello,
>
> If you know which groups/users have been delegated permissions but you
> don't know where, you could use DSREVOKE from MS (google for it and
> you willl find it)
>
> Another way to search is to search for all defined permissions on OUs
> using ADFIND from JOEWARE.NET
>
> adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
> "(objectCategory=OrganizationalUnit)" -sddc ntsecuritydescriptor
>
> With this command you can get the security descriptors but they are in
> SDDL format and you need to convert that to human readable text.
> I at the moment don't know how to do that, but maybe the guy at
> joeware.net know.
>
> For more info on SDDL see
> http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html
>
> Cheers
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Active-Directory-Finding-Delegated-users-Imd-Help-ftopict549240.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=1738135

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Cary Shultz A.D. M" wrote:
> Jorge,
>
> I was thinking about adfind. Was also thinking about
> DSACL.......I am just
> very tired ( little one is teething and not getting a lot of
> sleep ) so
> things are a little less than clear for this old man!
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com>
> wrote in message
> news:3_1738135_acc967bdf4bae6d031b544007e91c221@windowsforumz.com...
> > "santosh" wrote:
>  > > Hi All,
>  > > Anyone know how to search for users whom the
> administrator
>  > > have delegated
>  > > rights to create,delete...etc
>  > > My Administrator has moved to diff department,I have
> taken
>  > > over and as a
>  > > security concern I would just want to check
> these,can somebody
>  > > help me on
>  > > this..
>  > > Thanks
>  > > San
> >
> > Hello,
> >
> > If you know which groups/users have been delegated
> permissions but you
> > don't know where, you could use DSREVOKE from MS (google for
> it and
> > you willl find it)
> >
> > Another way to search is to search for all defined
> permissions on OUs
> > using ADFIND from JOEWARE.NET
> >
> > adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
> > "(objectCategory=OrganizationalUnit)" -sddc
> ntsecuritydescriptor
> >
> > With this command you can get the security descriptors but
> they are in
> > SDDL format and you need to convert that to human readable
> text.
> > I at the moment don't know how to do that, but maybe the guy
> at
> > joeware.net know.
> >
> > For more info on SDDL see
> > http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html
> >
> > Cheers
> >
> > --
> > Posted using the http://www.windowsforumz.com interface, at author's
> > request
> > Articles individually checked for conformance to usenet
> standards
> > Topic URL:
> > http://www.windowsforumz.com/Active-Directory-Finding-Delegated-users-Imd-Help-ftopict549240.html
> > Visit Topic URL to contact author (reg. req'd). Report
> abuse:
> > http://www.windowsforumz.com/eform.php?p=1738135

Hi Cary,

DSACLS and ACLDIAG can not help the guy with what he wants.
Both wil do fine to grant/read permissions on single objects.

Het wants to go through AD and what the delegations are what simply
means "check all security descriptors" and report into a file

ADFIND from Joeware works OK, but it reports in SDDL format and humans
don’t really like that format. I once downloaded a SDDL parser that
converts one string at a time to a readable format. I tried to search
for it again but I did not succeed

hehe... the little one thinks "i can’t sleep, so you can’t sleep!"
;-)

Cheers,