Windows Server 2000 includes wizards for delegating permissions to users in Active Directory, but there is no easy...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
way to view or remove existing delegations. In order to do so, you must manually view the applied permissions on each container and object. Users who want to access the effective permissions must have read access to all aspects, both locally and in Active Directory. Typically, this would be limited to administrators.
Under the NTFS (New Technology File System), access to a resource is controlled by permissions specified on the access control list (ACL), which is stored with the object on the hard drive. The users and groups listed on the ACL can be from either the local computer or the domain. In Windows 2000, the standard objects that have permissions are files, folders, registry keys and printers. However, with the introduction of Active Directory, the number of objects that have permissions has tripled, because each object has its own access control list. Objects within Active Directory that have an ACL include Organizational unit, Group Policy Object, Site, and user, computer and group accounts. To make it easier to view existing permissions delegations, Microsoft released a command line tool, Dsrevoke. It is important to note that this tool only displays permissions explicitly given to a user or group and it will not provide a complete view of a user or group's permissions if it is part of another group. You can find Dsrevoke at the Microsoft Download Center.
There are some useful third party tools available to Active Directory administrators that produce the type of reports they need to audit their systems. These include, ScriptLogic's Enterprise Security Reporter, SomarSoft's DumpSec and NetIQ's File Security Administrator. ScriptLogic's Enterprise Security Reporter collects information found within NTFS permissions, Active Directory user and group accounts, server registries and shares allowing administrators to analyze, query and report on the security and configuration of their network. SomarSoft's DumpSec, is a free tool that dumps the permissions and audit settings for the file system, registry, printers and shares. NetIQ's File Security Administrator is a file security management and reporting product tool that allows you to view, modify or roll back ACL changes and produces reports across multiple servers.
Dig Deeper on Active Directory and LDAP Security
Related Q&A from Michael Cobb
A survey found that half of its respondents perform application updates daily. Expert Michael Cobb explains how to allocate appropriate time on ...continue reading
Many large enterprises have their own internal public key infrastructure. Expert Michael Cobb explains the considerations organizations should make ...continue reading
Network administrators typically resist policies for separate accounts when performing different tasks. Expert Michael Cobb explains the risk of ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.