Too Much Information
Reporting on AD permissions using free tools is an exercise in futility for this admin. Can he find a better way?
- By Bill Boswell
I need some help documenting AD delegations.
I tried to use DSREVOKE and I found that there were so many "combinations
of bits" involved in delegations that although I could enumerate
them, the results were not very helpful. I got results like: USERNAME
has read/write on this object.
I am looking for a way to enumerate, for example, that USERNAME was delegated
read/write only on the user object in this container, and only for the
read/write password, and unlock account attributes.
Do you know a better way to do this?
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
Alan: I feel your pain. The Delegation of Control wizard
is a great tool for "applying" permissions but it is sorely
lacking when it comes to reporting on permissions.
For readers who don't know about DSREVOKE, this is a command-line utility
from Microsoft that can either report on the contents of a security descriptor
in Active Directory or change the contents by removing a user or group
from the Access Control List. (Click
here to get DSREVOKE.)
As Alan points out, DSREVOKE gives a report that's a little difficult
to intepret. Here's a snippet from a DSREVOKE listing:
C:\>dsrevoke /report "ad\domain admins"
Object: OU=Domain Controllers,DC=ad,DC=corp,DC=com
Security Principal: AD\Domain Admins
VALIDATED WRITE ACCESS
ACE Type: ALLOW
ACE not inherited by any child objects
I don't use DSREVOKE very often because it only reports on OUs and the
There's a tool called DSACLS in the Support Tools that can list the contents
of an Active Directory security descriptor in much the same way that XCACLS
lists the contents of an NTFS security descriptor. It's a difficult tool
to use effectively, though, and not suited for gathering lots of information.
Another option is a tool from the Winter issue of TechNet magazine,
SEARCHSD, written by Gokay Hurmali, a software design engineer in the
Microsoft Directory and Identity Services group. (Click
here to download SEARCHSD.) This tool allows you to quickly
determine if a particular user or group has been given access rights on
an object in Active Directory. Here's a snippet of a listing:
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS [S-1-5-9] (S-1-5-9) has 22
BUILTIN\Administrators [S-1-5-32-544] (S-1-5-32-544) has 29 ACEs
NT AUTHORITY\Authenticated Users [S-1-5-11] (S-1-5-11) has 1667 ACEs
AD\Domain Admins [S-1-5-21-1565494782-452511174-2938149891-512] (S-1-5-21-1565494782-452511174-2938149891-512)
has 468 ACEs
NT AUTHORITY\SYSTEM [S-1-5-18] (S-1-5-18) has 450 ACEs
AD\Enterprise Admins [S-1-5-21-1565494782-452511174-2938149891-519] (S-1-5-21-1565494782-452511174-2938149891-519)
has 20 ACEs
BUILTIN\Pre-Windows 2000 Compatible Access [S-1-5-32-554] (S-1-5-32-554)
has 193 ACEs
AD\Domain Controllers [S-1-5-21-1565494782-452511174-2938149891-516] (S-1-5-21-1565494782-452511174-2938149891-516)
has 2 ACEs
BUILTIN\Incoming Forest Trust Builders [S-1-5-32-557] (S-1-5-32-557) has
BUILTIN\Account Operators [S-1-5-32-548] (S-1-5-32-548) has 337 ACEs
This won't meet Alan's goal, though, because it's too difficult to get
a comprehensive report on all of the inherited permissions.
To get the kind of detail Alan requires, you can write a script or buy
a tool. A script that reads and reports on security descriptor content
in Active Directory isn't fantastically difficult to write, but it does
require a little work to get it right. I'll put together some code for
a future column.
For now, though, I think the simplest way for Alan to get his report is
to buy a tool. I know of a couple of options, such as ScriptLogic's ActiveAdministrator http://www.scriptlogic.com/eng/products/activeadmin/main.asp
and Quest Software has Quest Reporter http://wm.quest.com/products/reporter/. Both of these tools can display
a report on the delegated permissions inside AD. Figure 1 shows a sample
report in ActiveAdministrator.
|Figure 1. ScriptLogic's ActiveAdministrator can
report on rights inside of AD. (Click image to view larger version.)
The downside of using a third-party utility rather than a script is the
cost, which hovers around $7-$9 per user. If you have 100 users, it might
not be worth your while to pay nearly $1,000 to get the report on delegated
rights. Of course, you'll get other features, as well, but you might not
want or need them.
Hopefully Microsoft will come up with new and more efficient ways of dealing
with the problem of determining rights inside AD. It's a challenge faced
by every administrator and it just shouldn't be so hard to get the required
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.