Windows Server 2000 includes wizards for delegating permissions to users in Active Directory, but there is no easy...
way to view or remove existing delegations. In order to do so, you must manually view the applied permissions on each container and object. Users who want to access the effective permissions must have read access to all aspects, both locally and in Active Directory. Typically, this would be limited to administrators.
Under the NTFS (New Technology File System), access to a resource is controlled by permissions specified on the access control list (ACL), which is stored with the object on the hard drive. The users and groups listed on the ACL can be from either the local computer or the domain. In Windows 2000, the standard objects that have permissions are files, folders, registry keys and printers. However, with the introduction of Active Directory, the number of objects that have permissions has tripled, because each object has its own access control list. Objects within Active Directory that have an ACL include Organizational unit, Group Policy Object, Site, and user, computer and group accounts. To make it easier to view existing permissions delegations, Microsoft released a command line tool, Dsrevoke. It is important to note that this tool only displays permissions explicitly given to a user or group and it will not provide a complete view of a user or group's permissions if it is part of another group. You can find Dsrevoke at the Microsoft Download Center.
There are some useful third party tools available to Active Directory administrators that produce the type of reports they need to audit their systems. These include, ScriptLogic's Enterprise Security Reporter, SomarSoft's DumpSec and NetIQ's File Security Administrator. ScriptLogic's Enterprise Security Reporter collects information found within NTFS permissions, Active Directory user and group accounts, server registries and shares allowing administrators to analyze, query and report on the security and configuration of their network. SomarSoft's DumpSec, is a free tool that dumps the permissions and audit settings for the file system, registry, printers and shares. NetIQ's File Security Administrator is a file security management and reporting product tool that allows you to view, modify or roll back ACL changes and produces reports across multiple servers.
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.