Identify alls Objects in ADS which a specific group has specific permissions

[Carsten Giesen]

Hello,

is there a way to find out, to which objects in the ads a
specific group has specific permissions.
I am asking that, because i try to find out in which OUs
our group "domain joiners" can create computer objects.
I read about ldp.exe, dsquery *, dsacls.exe, acldiag.exe
but i don't find a way to solve my problem.
I don't want to read out manualy each ACL of all the
existing OUs in our environment.
I there an tool, script which can do this for me.

Thanks for every tip and help in advanced

 

[Jerold Schulman]

Hello,

is there a way to find out, to which objects in the ads a
specific group has specific permissions.
I am asking that, because i try to find out in which OUs
our group "domain joiners" can create computer objects.
I read about ldp.exe, dsquery *, dsacls.exe, acldiag.exe
but i don't find a way to solve my problem.
I don't want to read out manualy each ACL of all the
existing OUs in our environment.
I there an tool, script which can do this for me.

Thanks for every tip and help in advanced

Shouldn't be hard to script.

Give us an example of how you would specify a specific group with specific permissions.


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Joe Richards [MVP]]

You can run this command

netdom query ou

You can get more help by typing

netdom help query


Hey Jerry add that one to the tips database. )

 

[Carsten Giesen]

Hello Jerold,

thanks for your response.

I want to find out in which OUs the global group "domain
joiners" has the right to create computer objects.
We have a lot of OUs and it is not possible to find this
out by checking each OUs manualy by hand.

-----Original Message-----

Shouldn't be hard to script.

Give us an example of how you would specify a specific

group with specific permissions.

 

[Carsten Giesen]

Hello Joe,

thanks for your response.
I will check out this tool, i hope i can use it in the way
that it start at a certain point and scan all child OUs in
the tree of the parent OU.

 

[Jerold Schulman]

You can run this command

netdom query ou

You can get more help by typing

netdom help query


Hey Jerry add that one to the tips database. )

Thanks Joe.

frtom netdom help query:

"OU Query the domain for the list of Organizational Units under
which the specified user can create a machine object"

I presume the specified user is the one running the command, unless the /UserD:UserName parameter was used?



Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Joe Richards [MVP]]

Correct.

 

[Jerold Schulman]

See http://www.jsiinc.com/SUBR/tip8500/rh8550.htm
What Active Directory objects have specified access control entries (ACEs)?

Hello Jerold,

thanks for your response.

I want to find out in which OUs the global group "domain
joiners" has the right to create computer objects.
We have a lot of OUs and it is not possible to find this
out by checking each OUs manualy by hand.

-----Original Message-----

group with specific permissions.

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Carsten Giesen]

Thanks a lot, that iss exactly the tool which i needed.

-----Original Message-----

See http://www.jsiinc.com/SUBR/tip8500/rh8550.htm
What Active Directory objects have specified access control entries (ACEs)?