Finding Delegated users ,,,Need Imd Help

[Guest]

Hi All,
Anyone know how to search for users whom the administrator have delegated
rights to create,delete...etc
My Administrator has moved to diff department,I have taken over and as a
security concern I would just want to check these,can somebody help me on
this..
Thanks
San

 

[Cary Shultz [A.D. MVP]]

If you are asking about what might have been delegated to certain users ( or
better, to certain groups ) via the Delegation Wizard - or manually, for
that matter - then there is no way to 'know' this other than going to each
object ( probably the OU..... ) and looking.

I am sure that there are some tools out there ( go to
http://www.joeware.net ) and look there for any tools that he might have
written to handle this ( I know that there is but am a bit tired
today..... ).

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Jorge_de_Almeida_Pinto]

Hi All,
Anyone know how to search for users whom the administrator
have delegated
rights to create,delete...etc
My Administrator has moved to diff department,I have taken
over and as a
security concern I would just want to check these,can somebody
help me on
this..
Thanks
San

Hello,

If you know which groups/users have been delegated permissions but you
don’t know where, you could use DSREVOKE from MS (google for it and
you willl find it)

Another way to search is to search for all defined permissions on OUs
using ADFIND from JOEWARE.NET

adfind -b "DC=<DOMAIN>,DC=<TLD>" -f
"(objectCategory=OrganizationalUnit)" -sddc ntsecuritydescriptor

With this command you can get the security descriptors but they are in
SDDL format and you need to convert that to human readable text.
I at the moment don’t know how to do that, but maybe the guy at
joeware.net know.

For more info on SDDL see
http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html

Cheers

 

[Cary Shultz [A.D. MVP]]

Jorge,

I was thinking about adfind. Was also thinking about DSACL.......I am just
very tired ( little one is teething and not getting a lot of sleep ) so
things are a little less than clear for this old man!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Jorge_de_Almeida_Pinto]

Jorge,

I was thinking about adfind. Was also thinking about
DSACL.......I am just
very tired ( little one is teething and not getting a lot of
sleep ) so
things are a little less than clear for this old man!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Jorge_de_Almeida_Pinto" <[email protected]>
wrote in message

&nbsp;> > Hi All,
&nbsp;> > Anyone know how to search for users whom the
administrator
&nbsp;> > have delegated
&nbsp;> > rights to create,delete...etc
&nbsp;> > My Administrator has moved to diff department,I have
taken
&nbsp;> > over and as a
&nbsp;> > security concern I would just want to check
these,can somebody
&nbsp;> > help me on
&nbsp;> > this..
&nbsp;> > Thanks
&nbsp;> > San

Hi Cary,

DSACLS and ACLDIAG can not help the guy with what he wants.
Both wil do fine to grant/read permissions on single objects.

Het wants to go through AD and what the delegations are what simply
means "check all security descriptors" and report into a file

ADFIND from Joeware works OK, but it reports in SDDL format and humans
don’t really like that format. I once downloaded a SDDL parser that
converts one string at a time to a readable format. I tried to search
for it again but I did not succeed

hehe... the little one thinks "i can’t sleep, so you can’t sleep!"
;-)

Cheers,