ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to use dsacls to find out where all a security group is granted permissions in Active Directory?


Member

Posts: 9
Date: May 19, 2011
How to use dsacls to find out where all a security group is granted permissions in Active Directory?
Permalink  
 


Hello. I would like to know exactly how to use the Microsoft dsacls.exe tool to find out where all a particular domain security group has "Reset Password" permissions in our OU?

We are trying to find out who can reset the password of our user accounts, and unfortunately it is not as easy as one would have thought. I am thinking that perhaps with dsacls, this should be doable but I am not sure how to use dsacls to do so.

Any input or assistance would be appreciated. Thanks.



__________________

My little blog on Active Directory Delegation Tools



Member

Posts: 5
Date: Jun 27, 2012
RE: How to use dsacls to find out where all a security group is granted permissions in Active Directory?
Permalink  
 


Hello Abdul,

I am not sure if dsacls is actually capable of doing this? I believe it can show you the ACL of an Active Directory, but I don't think it can show you where all a user/group has a specific type of permissions, such as Reset Password.

Regards,

Chaitanya.



__________________

Never try to solve a problem on a Friday night. It can spoil your weekend :-)



Newbie

Posts: 3
Date: Jun 29, 2012
RE: How to use dsacls to find out where all a security group is granted permissions in Active Directory?
Permalink  
 


Hi Abdul,

Have you given checkdsacls a shot? I believe it can dump AD ACLs, so that should give you a starting point. We looked at it, but since it was not supported, it was not an option for us, but it might be for you!

-Jesse



__________________


Member

Posts: 9
Date: Jun 29, 2012
RE: How to use dsacls to find out where all a security group is granted permissions in Active Directory?
Permalink  
 


Hi Jesse,

I did checkout checkdsacls. Unfortunately, it does not cut it for us because of the following reasons - 

1. It can only be used to export ACLs, so it still leaves me alot of analysis myself. What I need is for the tool to do the analysis, not me.

2. It is a free, unsupported tool, and unfortunately, for security reasons, our corporate policies do not permit us to use free/unsupported tools.

dsacls doesn't do it either. I need a tool that can do all the analysis and just show me where all a particular security group has Reset Password permissions.

Thank you anyway, for the pointers, but still continuing to look.

Abdul.



__________________

My little blog on Active Directory Delegation Tools



Member

Posts: 18
Date: May 30, 2013
How to use dsacls to find out where all a security group is granted permissions in Active Directory?
Permalink  
 


Abdul,

If you are trying to find out who has Reset Password permissions on user accounts in your domain, what you need to do is determine Effective Permissions on each account, and then see exactly who all effectively have the Reset Password extend right allowed on your account.

dsacls has an Effective Permissions flag but it is not exactly what you need because that flag will only show you which ACEs apply for a given user. You would then have to begin with that data and proceed to manually determine effective permissions on all user accounts.

Depending on how many accounts you have this could take a considerable amount of time, but it is doable. On average, it takes me about 20 minutes to determine effective permissions on a user account, but it could take you less or more time depending on how small or large your domain is, and how much delegation you have done in your Active Directory.

If you have a small number of users (say 100) you could potentially accomplish this in about 2 to 3 weeks, assuming you do it manually. If you have more than 100 users, I would recommend using automation to your advantage to get this done, as its simply infeasible to do this manually on so many accounts.

For example, if all you need to know is who can reset user account passwords in your domain, here is an inexpensive solution you can use to fulfill this need.

If you need to make other determinations as well, such as find out who can unlock the accounts of locked users, or enable disabled user accounts etc., let me know and I'll be happy to provide a pointer.

Best wishes,

Nate.



-- Edited by Nathan on Thursday 30th of May 2013 06:52:22 PM

__________________
Today is the tomorrow we worried about yesterday
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me