How to create a list of everyone who has access to make changes to AD

S

swilson

Hi, is there a way to find out who has access to make changes to AD
(ie. delete or create OU's? Thanks
 
J

Joe Richards [MVP]

You would need to write a script that queries the ACLs on every object
that could support an OU being created as a child and then pull out the
ACEs that apply (create child - any, create child - ou's, full control,
and anyone who can write the permissions for the object, and the owner
of the object) then any groups you would need to resolve into individual
users.

If you just want to know for a single location in AD, look at the ACL
manually and work it out, broad spectrum would take the script or if you
can find a third party tool to do it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
K

Ken Aldrich

DSRAZOR for Windows does an excellent job of documenting security of AD
objects. Incidently it will also document File System objects as well.

You can create reports based on objects, or based upon trustees (pick a user
or group and find out what they have access to).

Click the link below to take a look. We would be happy to set you up with a
free trial and do a personalized one-on-one web demonstration to show you
how it can work in your environment.
www.visualclick.com/?source=ADacl071906
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Who did that?! 6
Active Directory Who Did It. 1
Delegating Administration 1
GPO not applying to user when only TS server is in Locked down OU. 3
adding computers to a domain 1
Changing the default OU that new computers are created in 7
AD permissions 5
Weird AD Problem 1

Top