Handling permissions in Active Directory

Windows Server 2000 includes wizards for delegating permissions to users in Active Directory, but there is no easy way to view or remove existing delegations. In order to do so, you must manually view the applied permissions on each container and object. Users who want to access the effective permissions must have read access to all aspects, both locally and in Active Directory. Typically, this would be limited to administrators.

Under the NTFS (New Technology File System), access to a resource is controlled by permissions specified on the access control list (ACL), which is stored with the object on the hard drive. The users and groups listed on the ACL can be from either the local computer or the domain. In Windows 2000, the standard objects that have permissions are files, folders, registry keys and printers. However, with the introduction of Active Directory, the number of objects that have permissions has tripled, because each object has its own access control list. Objects within Active Directory that have an ACL include Organizational unit, Group Policy Object, Site, and user, computer and group accounts. To make it easier to view existing permissions delegations, Microsoft released a command line tool, Dsrevoke. It is important to note that this tool only displays permissions explicitly given to a user or group and it will not provide a complete view of a user or group's permissions if it is part of another group. You can find Dsrevoke at the Microsoft Download Center.

There are some useful third party tools available to Active Directory administrators that produce the type of reports they need to audit their systems. These include, ScriptLogic's Enterprise Security Reporter, SomarSoft's DumpSec and NetIQ's File Security Administrator. ScriptLogic's Enterprise Security Reporter collects information found within NTFS permissions, Active Directory user and group accounts, server registries and shares allowing administrators to analyze, query and report on the security and configuration of their network. SomarSoft's DumpSec, is a free tool that dumps the permissions and audit settings for the file system, registry, printers and shares. NetIQ's File Security Administrator is a file security management and reporting product tool that allows you to view, modify or roll back ACL changes and produces reports across multiple servers.