Getting all object permissions for a single user.

[eniacpx]

Is there a program i can use, or a command I can run to get a list of
the explicit permissions a specific user has to all objects in AD?

For example:

I add myself to John Q's mailbox with full control but I forget to take
myself back off later. Can I run a program that will tell me every
mailbox I have full control of?

 

[Herb Martin]

Is there a program i can use, or a command I can run to get a list of
the explicit permissions a specific user has to all objects in AD?

It can be done, but you need to write a script to do it.

For example:

I add myself to John Q's mailbox with full control but I forget to take
myself back off later. Can I run a program that will tell me every
mailbox I have full control of?

Not built-in -- that isn't something that is in a typical AD
query but will require you to enumerate the permissions
I believe.

If you did this to John Q, would you KNOW which it is?
(Or did you really do this to a bunch of John and Joan
Ps and Qs etc.?)

 

[Jorge de Almeida Pinto [MVP - DS]]

DSREVOKE


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Joe Richards [MVP]]

Nope, this isn't an AD perm, it is Exchange.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Joe Richards [MVP]]

That isn't an AD permission, it is a permission in Exchange. Plus there
are two different layers you can add permissions to Exchange, in the
store and on the mailbox ACL. If you added yourself to the mailbox ACL
you would have done it through ADUC. If you were monkeying with store
permissions you would have done it in Outlook.

So assuming you were playing with mailbox ACLs then you can use any tool
that knows how to read the msExchMailboxSecurityDescriptor attribute.
Note that you will not be able to QUERY for this info, you will need to
enumerate every single mailbox and look at that ACL. Something like (all
one line)

adfind -gc -null -f mailnickname=* msExchMailboxSecurityDescriptor
-sddl++ -resolvesids -csv

will dump the info to CSV for you so you can dig through it.

If you have a large org, this won't be fast.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Andrei Ungureanu [MVP]]

and DSREVOKE will only work for OU's

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

"Jorge de Almeida Pinto [MVP - DS]"

 

[Paul Labuda]

Hello,

If you wish to find all AD objects to which a given user has any access,
DSRAZOR for Windows will provide this information in its powerful trustee
reports. All tools provided with DSRAZOR for Windows are fully customizable
with its powerful drag-and-drop Designer, without any need to know
scripting. We permit you to query and modify all attributes in your Active
Directory, even custom extensions you may have added to your schema. To
download a free trial version, and to set up a personalized, one-on-one web
presentation to show you how to document trustees in AD (and in NTFS), along
with many other powerful features, please visit our web site:

http://www.visualclick.com/?source=trustees20061226

--

Paul Labuda
Senior Support Engineer
Visual Click Software, Inc.
http://www.visualclick.com/?source=trustees20061226