Windows Server 2000 includes wizards for delegating permissions to users in Active Directory, but there is no easy...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
way to view or remove existing delegations. In order to do so, you must manually view the applied permissions on each container and object. Users who want to access the effective permissions must have read access to all aspects, both locally and in Active Directory. Typically, this would be limited to administrators.
Under the NTFS (New Technology File System), access to a resource is controlled by permissions specified on the access control list (ACL), which is stored with the object on the hard drive. The users and groups listed on the ACL can be from either the local computer or the domain. In Windows 2000, the standard objects that have permissions are files, folders, registry keys and printers. However, with the introduction of Active Directory, the number of objects that have permissions has tripled, because each object has its own access control list. Objects within Active Directory that have an ACL include Organizational unit, Group Policy Object, Site, and user, computer and group accounts. To make it easier to view existing permissions delegations, Microsoft released a command line tool, Dsrevoke. It is important to note that this tool only displays permissions explicitly given to a user or group and it will not provide a complete view of a user or group's permissions if it is part of another group. You can find Dsrevoke at the Microsoft Download Center.
There are some useful third party tools available to Active Directory administrators that produce the type of reports they need to audit their systems. These include, ScriptLogic's Enterprise Security Reporter, SomarSoft's DumpSec and NetIQ's File Security Administrator. ScriptLogic's Enterprise Security Reporter collects information found within NTFS permissions, Active Directory user and group accounts, server registries and shares allowing administrators to analyze, query and report on the security and configuration of their network. SomarSoft's DumpSec, is a free tool that dumps the permissions and audit settings for the file system, registry, printers and shares. NetIQ's File Security Administrator is a file security management and reporting product tool that allows you to view, modify or roll back ACL changes and produces reports across multiple servers.
Dig Deeper on Active Directory and LDAP Security
Related Q&A from Michael Cobb
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve ...continue reading
Crowning the most secure web browser is difficult, with research often turning up biased results. Expert Michael Cobb explains how to make a choice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.