ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to list Active Directory object permissions?


Member

Posts: 21
Date: Jun 1, 2011
How to list Active Directory object permissions?
Permalink  
 


Hi. I would like to know if there is an easy way to list Active Directory object permissions, particularly those that might be delegated to users in our Organizational Units (OUs)

We are trying to find out where all one of our groups might be granted specific permissions, and have tried dsacls and other cmd line tools but it is not that easy.

I am certain that this must be a common task for others as well, and thus thought of asking if you could share how you go about making such determinations?

Thanks.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 12
Date: Jun 26, 2012
RE: How to list Active Directory object permissions?
Permalink  
 


Geoffrey,

This is indeed not as easy as trying to run a simple LDAP query, because it involves looking into and analyzing security permissions within Active Directory ACLs.

Depending on the extent of analysis you wish to do, you could use multiple avenues to fulfill your objective. If its just a matter of finding out where all a user might have any permissions, perhaps PowerShell could be used to do so.

On the other hand, if you're looking for a specific permission-combination and wish to include nested group memberships, then I'm afraid something as basic as PowerShell might not be sufficient for you.

If you could give me some idea as to the level of analysis you wish to perform, I could suggest a few alternatives that might help.

Ciao,

Nicolas.



__________________
Bond: There’s a name to die for! (Die Another Day)


Member

Posts: 6
Date: Jun 29, 2012
RE: How to list Active Directory object permissions?
Permalink  
 


Geoffrey,

Have you tried the free PowerShell Commands for Active Directory from Quest Sofware? They're free and are cmdlets. Should give shot.

Vladmir.



__________________

Да здравствует Россия!  Министерство обороны Российской Федерации



Member

Posts: 21
Date: Jan 17, 2013
RE: How to list Active Directory object permissions?
Permalink  
 


Hi Vladmir,

I appreciate your inputs, but as a US company, we are not going to be deploying software built in Russia in our corporate environment. (Its just a risk we are no willing to take no matter what.)

Fortunately, we have since found a good tool built right here in the US and we're quite happy with it.

Thanks,

-G



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Newbie

Posts: 4
Date: Feb 12, 2013
RE: How to list Active Directory object permissions?
Permalink  
 


Hi Geoffrey,

We too have a need to be able to enumerate specific Active Directory access rights / permissions granted to some of our users. We've come across numerous tools but they all seem to be built in India, Russia etc. 

Since you mentioned you're using a US based tool , if you don't mind me asking what tool are you using? We'd be interested in evaluating and possibly deploying a US based tool too.

Thanks,

Steve.



__________________

Build The Bridge.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me