Windows Server 2000 includes wizards for delegating permissions to users in Active Directory, but there is no easy...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
way to view or remove existing delegations. In order to do so, you must manually view the applied permissions on each container and object. Users who want to access the effective permissions must have read access to all aspects, both locally and in Active Directory. Typically, this would be limited to administrators.
Under the NTFS (New Technology File System), access to a resource is controlled by permissions specified on the access control list (ACL), which is stored with the object on the hard drive. The users and groups listed on the ACL can be from either the local computer or the domain. In Windows 2000, the standard objects that have permissions are files, folders, registry keys and printers. However, with the introduction of Active Directory, the number of objects that have permissions has tripled, because each object has its own access control list. Objects within Active Directory that have an ACL include Organizational unit, Group Policy Object, Site, and user, computer and group accounts. To make it easier to view existing permissions delegations, Microsoft released a command line tool, Dsrevoke. It is important to note that this tool only displays permissions explicitly given to a user or group and it will not provide a complete view of a user or group's permissions if it is part of another group. You can find Dsrevoke at the Microsoft Download Center.
There are some useful third party tools available to Active Directory administrators that produce the type of reports they need to audit their systems. These include, ScriptLogic's Enterprise Security Reporter, SomarSoft's DumpSec and NetIQ's File Security Administrator. ScriptLogic's Enterprise Security Reporter collects information found within NTFS permissions, Active Directory user and group accounts, server registries and shares allowing administrators to analyze, query and report on the security and configuration of their network. SomarSoft's DumpSec, is a free tool that dumps the permissions and audit settings for the file system, registry, printers and shares. NetIQ's File Security Administrator is a file security management and reporting product tool that allows you to view, modify or roll back ACL changes and produces reports across multiple servers.
Dig Deeper on Active Directory and LDAP Security
Related Q&A from Michael Cobb
Address bar spoofing attacks can be detrimental to an organization. Expert Michael Cobb details several vulnerabilities and explains how to defend ...continue reading
Facebook added OpenPGP encryption to its messaging services to help improve messaging safety. Expert Michael Cobb explains the benefits of the ...continue reading
The updated Chrome extension policy allows users and developers to only install extensions from the Chrome Web Store. Learn how this affects security...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.