Boswell's Q&A

Too Much Information

Reporting on AD permissions using free tools is an exercise in futility for this admin. Can he find a better way?

Bill: I need some help documenting AD delegations. I tried to use DSREVOKE and I found that there were so many "combinations of bits" involved in delegations that although I could enumerate them, the results were not very helpful. I got results like: USERNAME has read/write on this object.

I am looking for a way to enumerate, for example, that USERNAME was delegated read/write only on the user object in this container, and only for the read/write password, and unlock account attributes.

Do you know a better way to do this?
—Alan

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

Alan: I feel your pain. The Delegation of Control wizard is a great tool for "applying" permissions but it is sorely lacking when it comes to reporting on permissions.

For readers who don't know about DSREVOKE, this is a command-line utility from Microsoft that can either report on the contents of a security descriptor in Active Directory or change the contents by removing a user or group from the Access Control List. (Click here to get DSREVOKE.)

As Alan points out, DSREVOKE gives a report that's a little difficult to intepret. Here's a snippet from a DSREVOKE listing:

C:\>dsrevoke /report "ad\domain admins"

ACE #1
Object: OU=Domain Controllers,DC=ad,DC=corp,DC=com
Security Principal: AD\Domain Admins

Permissions:
READ CONTROL
WRITE DAC
WRITE OWNER
CREATE CHILD
LIST CONTENTS
VALIDATED WRITE ACCESS
READ PROPERTY
WRITE PROPERTY
LIST OBJECT
EXTENDED ACCESS
ACE Type: ALLOW

ACE not inherited by any child objects

I don't use DSREVOKE very often because it only reports on OUs and the Domain object.

There's a tool called DSACLS in the Support Tools that can list the contents of an Active Directory security descriptor in much the same way that XCACLS lists the contents of an NTFS security descriptor. It's a difficult tool to use effectively, though, and not suited for gathering lots of information.

Another option is a tool from the Winter issue of TechNet magazine, SEARCHSD, written by Gokay Hurmali, a software design engineer in the Microsoft Directory and Identity Services group. (Click here to download SEARCHSD.) This tool allows you to quickly determine if a particular user or group has been given access rights on an object in Active Directory. Here's a snippet of a listing:

C:\>searchad /test:searchdacl

NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS [S-1-5-9] (S-1-5-9) has 22 ACEs
BUILTIN\Administrators [S-1-5-32-544] (S-1-5-32-544) has 29 ACEs
NT AUTHORITY\Authenticated Users [S-1-5-11] (S-1-5-11) has 1667 ACEs
AD\Domain Admins [S-1-5-21-1565494782-452511174-2938149891-512] (S-1-5-21-1565494782-452511174-2938149891-512) has 468 ACEs
NT AUTHORITY\SYSTEM [S-1-5-18] (S-1-5-18) has 450 ACEs
AD\Enterprise Admins [S-1-5-21-1565494782-452511174-2938149891-519] (S-1-5-21-1565494782-452511174-2938149891-519) has 20 ACEs
BUILTIN\Pre-Windows 2000 Compatible Access [S-1-5-32-554] (S-1-5-32-554) has 193 ACEs
AD\Domain Controllers [S-1-5-21-1565494782-452511174-2938149891-516] (S-1-5-21-1565494782-452511174-2938149891-516) has 2 ACEs
BUILTIN\Incoming Forest Trust Builders [S-1-5-32-557] (S-1-5-32-557) has 2 ACEs
BUILTIN\Account Operators [S-1-5-32-548] (S-1-5-32-548) has 337 ACEs

This won't meet Alan's goal, though, because it's too difficult to get a comprehensive report on all of the inherited permissions.

To get the kind of detail Alan requires, you can write a script or buy a tool. A script that reads and reports on security descriptor content in Active Directory isn't fantastically difficult to write, but it does require a little work to get it right. I'll put together some code for a future column.

For now, though, I think the simplest way for Alan to get his report is to buy a tool. I know of a couple of options, such as ScriptLogic's ActiveAdministrator http://www.scriptlogic.com/eng/products/activeadmin/main.asp and Quest Software has Quest Reporter http://wm.quest.com/products/reporter/. Both of these tools can display a report on the delegated permissions inside AD. Figure 1 shows a sample report in ActiveAdministrator.

ScriptLogic ActiveAdministrator
Figure 1. ScriptLogic's ActiveAdministrator can report on rights inside of AD. (Click image to view larger version.)

The downside of using a third-party utility rather than a script is the cost, which hovers around $7-$9 per user. If you have 100 users, it might not be worth your while to pay nearly $1,000 to get the report on delegated rights. Of course, you'll get other features, as well, but you might not want or need them.

Hopefully Microsoft will come up with new and more efficient ways of dealing with the problem of determining rights inside AD. It's a challenge faced by every administrator and it just shouldn't be so hard to get the required information.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus
Most   Popular