Announcement

Collapse
No announcement yet.

Check Delegated Privileges

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Check Delegated Privileges

    My 2003 AD has an Operators OU and user Fred. An administrator tells me he has given Fred the following privileges:
    Create, delete and manage user accounts
    Reset user password and force password change at next logon
    Read all user information
    Create, delete and manage groups
    modify the membership of a group

    How can I check and confirm this? It's not as easy as one may think!

  • #2
    Re: Check Delegated Privileges

    Open up AD Users and Computer.

    Go to View, Advanced features (a tick should then be there - if already there, leave it as it is)

    Go the the Properties of the domain node and then click Security. Look to see if their name is listed.

    If the delegation was elsewhere, such as on an OU, go there instead and do the same.

    This is one way. Whether it is the easiest, I wouldn't know.

    Comment


    • #3
      Re: Check Delegated Privileges

      Thanks for that, Virtual, but it doesn't work! All I can see for Fred is Create & Delete Users and Groups; there is no mention of the other privileges, even in Effective Permissions for Fred.

      Comment


      • #4
        Re: Check Delegated Privileges

        Hi,

        You can use the DSREVOKE.EXE from Microsoft.

        Ta
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Check Delegated Privileges

          That would suggest he has the permission via a group or it is assigned elswhere or he doesn't have the permission set.

          You can always re-run the delegation wizard.

          Andy's tool is just what you are looking for.

          Comment


          • #6
            Re: Check Delegated Privileges

            Thanks, L4ndy and Virtual. The MS tool is exactly what I was looking for. I was surprised it is not possible from with AD Users & Computers.

            Comment

            Working...
            X