ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to use dsacls to show / view a user's effective permissions on an Organizational Unit (OU)


Newbie

Posts: 4
Date: Jan 3, 2013
How to use dsacls to show / view a user's effective permissions on an Organizational Unit (OU)
Permalink  
 


Hello,

I would like to know how to use dsacls to view a user's effective permissions on an Organizational Unit (OU) in one of our Active Directory domains.

We are trying to determine what rights are delegated to one of our contractors on one of our main OUs, and I was told that this could be done using dsacls. I did try using dsacls but it only showed me the list of all permissions that were granted directly for that user. (In this case, there was just one ACE granted to this user, but I was hoping to also see what permissions he might have via nested group memberships, because I know he is a member of several of our admin groups.

Maybe I'm missing something, so could someone please let me know how to view a user's effective permissions on this OU in our AD domain using dsacls?

Thank you.

Jorge



__________________

I'm digging my new Microsoft Surface Tablet.

Rob


Member

Posts: 7
Date: Feb 12, 2013
RE: How to use dsacls to show / view a user's effective permissions on an Organizational Unit (OU)
Permalink  
 


Hi Jorge,

AFAIK, dsacls does not have the ability to calculate or show effective permissions on AD objects.

Have you tried using the Effective Permissions Tab in Administrative Center, or using the acldiag utility instead? I have not tried it but I think you should be able to determine effective permissions using at least one of these.

> Rob



__________________


Member

Posts: 6
Date: Mar 21, 2013
RE: How to use dsacls to show / view a user's effective permissions on an Organizational Unit (OU)
Permalink  
 


Hi Rob,

Last year we had a situation wherein we needed to find out who all could control the Domain Admins group membership in one of our domains, and upon some investigating I found that we needed to determine Effective Permissions on the Domain Admins group to find out who had effective write-property permissions to the member attribute.

Since we had been using dsacls for quite some time, I figured I'd give it a shot to calculate effective permissions, as I could almost swear that dsacls could do effective permissions, but when I did a dsacls /? and reviewed the help, I realized that dsacls couldn't actually do effective permissions

So we then tried using acldiag, and we soon realized that even acldiag doesn't actually do effective permissions in the correct and expected sense of the term effective permissions. This was honestly a little shocking as Microsoft's own documentation states that acldiag can do effective permissions.

Anyway, so we then tried using the Effective Permissions Tab, and I quickly realized that the only way it was going to let me do effective permissions was to type in each user's name one by one (and we had about 200 personnel) so it wasn't going to be easy to use, plus while looking up help on it, we came across this KB article which said something to the effect that the Effective Permissions Tab gives incorrect results. I was a bit skpetical so I looked around a little more and came across another thread here that validated this.

So, in my experience, I have found that neither dsacls nor acldiag nor the Effective Permissions Tab are helpful when it comes to this. You just have to figoure figure out how to do this on your own and although that can take some time, at least its doable. (Hopefully you don't have too many objects on which you need to do it.)

It is unfortunate that one of the most important security abilities we need in Active Directory isn't doable using Microsoft's native tools. Oh well, that can be expected from Microsoft I suppose! 

~ George



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me