Finding Delegated users ,,,Need Imd Help

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi All,
Anyone know how to search for users whom the administrator have delegated
rights to create,delete...etc
My Administrator has moved to diff department,I have taken over and as a
security concern I would just want to check these,can somebody help me on
this..
Thanks
San
4 answers Last reply
More about finding delegated users need help
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    If you are asking about what might have been delegated to certain users ( or
    better, to certain groups ) via the Delegation Wizard - or manually, for
    that matter - then there is no way to 'know' this other than going to each
    object ( probably the OU..... ) and looking.

    I am sure that there are some tools out there ( go to
    http://www.joeware.net ) and look there for any tools that he might have
    written to handle this ( I know that there is but am a bit tired
    today..... ).

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "santosh" <santosh@discussions.microsoft.com> wrote in message
    news:3D5A5E7F-0956-4759-92EB-079CD9581134@microsoft.com...
    > Hi All,
    > Anyone know how to search for users whom the administrator have delegated
    > rights to create,delete...etc
    > My Administrator has moved to diff department,I have taken over and as a
    > security concern I would just want to check these,can somebody help me on
    > this..
    > Thanks
    > San
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "santosh" wrote:
    > Hi All,
    > Anyone know how to search for users whom the administrator
    > have delegated
    > rights to create,delete...etc
    > My Administrator has moved to diff department,I have taken
    > over and as a
    > security concern I would just want to check these,can somebody
    > help me on
    > this..
    > Thanks
    > San

    Hello,

    If you know which groups/users have been delegated permissions but you
    don’t know where, you could use DSREVOKE from MS (google for it and
    you willl find it)

    Another way to search is to search for all defined permissions on OUs
    using ADFIND from JOEWARE.NET

    adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
    "(objectCategory=OrganizationalUnit)" -sddc ntsecuritydescriptor

    With this command you can get the security descriptors but they are in
    SDDL format and you need to convert that to human readable text.
    I at the moment don’t know how to do that, but maybe the guy at
    joeware.net know.

    For more info on SDDL see
    http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html

    Cheers

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-Finding-Delegated-users-Imd-Help-ftopict549240.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1738135
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Jorge,

    I was thinking about adfind. Was also thinking about DSACL.......I am just
    very tired ( little one is teething and not getting a lot of sleep ) so
    things are a little less than clear for this old man!

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:3_1738135_acc967bdf4bae6d031b544007e91c221@windowsforumz.com...
    > "santosh" wrote:
    > > Hi All,
    > > Anyone know how to search for users whom the administrator
    > > have delegated
    > > rights to create,delete...etc
    > > My Administrator has moved to diff department,I have taken
    > > over and as a
    > > security concern I would just want to check these,can somebody
    > > help me on
    > > this..
    > > Thanks
    > > San
    >
    > Hello,
    >
    > If you know which groups/users have been delegated permissions but you
    > don't know where, you could use DSREVOKE from MS (google for it and
    > you willl find it)
    >
    > Another way to search is to search for all defined permissions on OUs
    > using ADFIND from JOEWARE.NET
    >
    > adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
    > "(objectCategory=OrganizationalUnit)" -sddc ntsecuritydescriptor
    >
    > With this command you can get the security descriptors but they are in
    > SDDL format and you need to convert that to human readable text.
    > I at the moment don't know how to do that, but maybe the guy at
    > joeware.net know.
    >
    > For more info on SDDL see
    > http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html
    >
    > Cheers
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Active-Directory-Finding-Delegated-users-Imd-Help-ftopict549240.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=1738135
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Cary Shultz A.D. M" wrote:
    > Jorge,
    >
    > I was thinking about adfind. Was also thinking about
    > DSACL.......I am just
    > very tired ( little one is teething and not getting a lot of
    > sleep ) so
    > things are a little less than clear for this old man!
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24012
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com>
    > wrote in message
    > news:3_1738135_acc967bdf4bae6d031b544007e91c221@windowsforumz.com...
    > > "santosh" wrote:
    >  > > Hi All,
    >  > > Anyone know how to search for users whom the
    > administrator
    >  > > have delegated
    >  > > rights to create,delete...etc
    >  > > My Administrator has moved to diff department,I have
    > taken
    >  > > over and as a
    >  > > security concern I would just want to check
    > these,can somebody
    >  > > help me on
    >  > > this..
    >  > > Thanks
    >  > > San
    > >
    > > Hello,
    > >
    > > If you know which groups/users have been delegated
    > permissions but you
    > > don't know where, you could use DSREVOKE from MS (google for
    > it and
    > > you willl find it)
    > >
    > > Another way to search is to search for all defined
    > permissions on OUs
    > > using ADFIND from JOEWARE.NET
    > >
    > > adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
    > > "(objectCategory=OrganizationalUnit)" -sddc
    > ntsecuritydescriptor
    > >
    > > With this command you can get the security descriptors but
    > they are in
    > > SDDL format and you need to convert that to human readable
    > text.
    > > I at the moment don't know how to do that, but maybe the guy
    > at
    > > joeware.net know.
    > >
    > > For more info on SDDL see
    > > http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html
    > >
    > > Cheers
    > >
    > > --
    > > Posted using the http://www.windowsforumz.com interface, at author's
    > > request
    > > Articles individually checked for conformance to usenet
    > standards
    > > Topic URL:
    > > http://www.windowsforumz.com/Active-Directory-Finding-Delegated-users-Imd-Help-ftopict549240.html
    > > Visit Topic URL to contact author (reg. req'd). Report
    > abuse:
    > > http://www.windowsforumz.com/eform.php?p=1738135

    Hi Cary,

    DSACLS and ACLDIAG can not help the guy with what he wants.
    Both wil do fine to grant/read permissions on single objects.

    Het wants to go through AD and what the delegations are what simply
    means "check all security descriptors" and report into a file

    ADFIND from Joeware works OK, but it reports in SDDL format and humans
    don’t really like that format. I once downloaded a SDDL parser that
    converts one string at a time to a readable format. I tried to search
    for it again but I did not succeed

    hehe... the little one thinks "i can’t sleep, so you can’t sleep!"
    ;-)

    Cheers,
Ask a new question

Read More

Microsoft Active Directory Windows