List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] Search AD for groups that have specific rights

Prev Next

You are not authorized to post a reply.

Author

Messages

bonnie.pohlschneider@xxxx.yyy

05/18/2006 5:05 AM
Is there a tool or script that will allow me to query all of the groups in AD and find those with particular security rights? For example, I would like to be able to view all of the groups that can reset passwords or query for all groups that can create groups. I am not savvy with scripting so any links to existing scripts or step-by-step instructions would be appreciated. BONNIE POHLSCHNEIDER

amulnick

Posts:143

05/19/2006 12:42 PM
Perhaps somebody else has found something more elegant? http://technet2.microsoft.com/WindowsServer/en/Library/ffd71dba-386e-463e-9529-f0b77d708ca01033.mspx?mfr=true On 5/18/06, bonnie.pohlschneider@xxxxxxxxxxxxxxxxxx wrote: Is there a tool or script that will allow me to query all of the groups in AD and find those with particular security rights? For example, I would like to be able to view all of the groups that can reset passwords or query for all groups that can create groups. I am not savvy with scripting so any links to existing scripts or step-by-step instructions would be appreciated. BONNIE POHLSCHNEIDER

listmail

Posts:497

05/23/2006 4:10 AM
Yep, this is a PITA in Windows. It is why you should have really good process and standards around ACLing. Thing is most people don't think about it until after they are in trouble. Take a look at the script at http://rallenhome.com/books/ad3e/source/ch_26_list_aces.vbs.txt, it shows you how to list the ACEs out, you could modify this to output into a CSV format and/or just dump expicit ACEs which will narrow down the actual number of ACEs you have to look at. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al MulnickSent: Friday, May 19, 2006 8:42 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Search AD for groups that have specific rights Hmm... Not sure this is what you're looking for, but DSACLS will give that information to you. If you don't set permissions with it, it can report the current permissions. But it's a lot of information to wade through even when you're done. I think if you wanted to script it, you'd want to shove the results into a DB so you could report on it in a way that makes more sense for what you're trying to accomplish. Keep in mind that there are a lot of rights out there so your reporting could be complex if you try to take the data out of the AD and put it into something else. Perhaps somebody else has found something more elegant? http://technet2.microsoft.com/WindowsServer/en/Library/ffd71dba-386e-463e-9529-f0b77d708ca01033.mspx?mfr=true On 5/18/06, bonnie.pohlschneider@xxxxxxxxxxxxxxxxxx wrote: Is there a tool or script that will allow me to query all of the groups in AD and find those with particular security rights? For example, I would like to be able to view all of the groups that can reset passwords or query for all groups that can create groups. I am not savvy with scripting so any links to existing scripts or step-by-step instructions would be appreciated. BONNIE POHLSCHNEIDER

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Search AD for groups that have specific rights

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads