Announcement

Collapse
No announcement yet.

How to document delegations (delegated access) in Active Directory?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to document delegations (delegated access) in Active Directory?

    Hello Forum,


    My name is Andrei, and I am new to the forum. I have a rather difficult project that I have been assigned, and have been struggling with it, so thought of asking you experts for some help.


    My manager was recently asked to furnish an audit report that has the names of all the people in our Help Desk teams who can reset the passwords of all the user accounts in one of the Active Directory domains we manage for one of our customers.


    There are about 5000 user accounts in this customerís AD, and because we a managed service provider, and we have our helpdesk teams in India, we have about 300 people in all who belong to various Help Desk teams. However, I know for a fact that not all of these people can reset the passwords of all the accounts in that customerís domain, because although we have a fair amount of delegation, and mostly based on nested group memberships, we do have a fair amount of deny permissions for some of these groups.


    The problem is that there are so many permissions, given that there are 5000+ accounts, so I donít know where or how to begin, or what to do to generate this report. To add to that, those deny permissions make it all the more harder.


    So my question is Ė How do I generate this report to document who is delegated the ability to reset passwords in this customerís Active Directory?


    Thank you for your help.


    -Andrei

  • #2
    Re: How to document delegations (delegated access) in Active Directory?

    Any help?
    http://social.technet.microsoft.com/...rmissions.aspx
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: How to document delegations (delegated access) in Active Directory?

      Originally posted by Ossian View Post
      Any help? <I had to remove link since it would not let me post response without removing link>

      Tom, I looked at that page, but it does not seem to be of much help, in that, that info was not very useful in trying to solve this problem.

      I mean it did help to the extent that I know of some options to get a dump of Active Directory permissions in our domain, but I will still need to do all the analysis myself to try and figure out who can really reset whose passwords

      I must say that this is very frustrating. Just looking all the permissions I don't know where to begin, how to begin and how to generate this report.

      I thought I would first look at all the deny permissions to rule out who cannot reset passwords, but when I started looking, they were granted using nested groups, so then I had to try to enumerate nested group memberships.

      So I started using PowerShell to enumerate nested group memberships, but keeping track of all the memberships and members and tracing them back to the permissions is just driving me crazy.

      I have already wasted 4 days trying to do this, without much luck. Microsoft ought to make it easier to try and figure this out for us.

      How do you experts find this out?

      Comment


      • #4
        Re: How to document delegations (delegated access) in Active Directory?

        The best way to document permissions is as you grant them, but the problem is (a) dealing with "historic" permissions and (b) remembering to write things down -- a formal policy of "permissions changes must be requested in writing" helps here

        Did you look at all of the link I posted, specifically the section on LIZA and also ACLDiag (which looks from the target objects point of view)?

        But ultimately if you have a large network without documentation, you will have to take the time to document it properly -- once done, the task becomes much easier
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: How to document delegations (delegated access) in Active Directory?

          Take a look at checkdsacls.exe: http://activedirectoryutils.codeplex...ses/view/20704
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment

          Working...
          X