Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"Cary Shultz A.D. M" wrote:
> Jorge,
>
> I was thinking about adfind. Was also thinking about
> DSACL.......I am just
> very tired ( little one is teething and not getting a lot of
> sleep ) so
> things are a little less than clear for this old man!
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
>
http://www.activedirectory-win2000.com
>
http://www.grouppolicy-win2000.com
>
>
>
> "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com>
> wrote in message
> news:3_1738135_acc967bdf4bae6d031b544007e91c221@windowsforumz.com...
> > "santosh" wrote:
> > > Hi All,
> > > Anyone know how to search for users whom the
> administrator
> > > have delegated
> > > rights to create,delete...etc
> > > My Administrator has moved to diff department,I have
> taken
> > > over and as a
> > > security concern I would just want to check
> these,can somebody
> > > help me on
> > > this..
> > > Thanks
> > > San
> >
> > Hello,
> >
> > If you know which groups/users have been delegated
> permissions but you
> > don't know where, you could use DSREVOKE from MS (google for
> it and
> > you willl find it)
> >
> > Another way to search is to search for all defined
> permissions on OUs
> > using ADFIND from JOEWARE.NET
> >
> > adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
> > "(objectCategory=OrganizationalUnit)" -sddc
> ntsecuritydescriptor
> >
> > With this command you can get the security descriptors but
> they are in
> > SDDL format and you need to convert that to human readable
> text.
> > I at the moment don't know how to do that, but maybe the guy
> at
> > joeware.net know.
> >
> > For more info on SDDL see
> >
http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html
> >
> > Cheers
> >
> > --
> > Posted using the
http://www.windowsforumz.com interface, at author's
> > request
> > Articles individually checked for conformance to usenet
> standards
> > Topic URL:
> >
http://www.windowsforumz.com/Active-Directory-Finding-Delegated-users-Imd-Help-ftopict549240.html
> > Visit Topic URL to contact author (reg. req'd). Report
> abuse:
> >
http://www.windowsforumz.com/eform.php?p=1738135
Hi Cary,
DSACLS and ACLDIAG can not help the guy with what he wants.
Both wil do fine to grant/read permissions on single objects.
Het wants to go through AD and what the delegations are what simply
means "check all security descriptors" and report into a file
ADFIND from Joeware works OK, but it reports in SDDL format and humans
don’t really like that format. I once downloaded a SDDL parser that
converts one string at a time to a readable format. I tried to search
for it again but I did not succeed
hehe... the little one thinks "i can’t sleep, so you can’t sleep!"
;-)
Cheers,