User Rights In Active Directory

User Rights In Active Directory
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
User Rights In Active Directory SecurityPro 01-11-2006
Posted by =?Utf-8?B?U2VjdXJpdHlQcm8=?= on January 11, 2006, 12:50 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm reviewing all user and group accounts in our domain. Of particular
interest is the users and groups ability to affect other portions of AD.
Unfortunately so far this has consisted of me going into the properties of
each user and group and creating a massive spreadsheet detailing all rights.

Is anyone aware of any tools or scripts that would allow me to automate the
process? Peferably something that is not required to be installed on the DC.

Thanks a bunch everyone?

Cindy

Posted by Steven L Umbach on January 11, 2006, 1:31 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Regular domain users should not have any ability to do any modifying with AD
unless you have delegated them authority for such via AD permissions to the
AD object such as user, computer, or container. To find that out you will
need to check the permission for your AD containers/OUs and it may help
using the command line tools dsacls.

Beyond that you will want to focus on what users are in groups that by
default can manage domain controllers and Active Directory so you will need
to view membership of groups such as enterprise admins, domain admins,
administrators, etc. The AD command line tools such as dsquery and dsget can
help with that. To see what user rights that a user/group has to domain
controllers you could view Domain Controller Security Policy and go to local
policies/user rights where by default I believe all or almost all user
rights are defined for the domain controller container. A tool such as the
free dumpsec form Somar Soft can dump user rights and more for a computer
and secedit can be used to export most security settings to file or security
template for viewing. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b1007de8-a11a-4d88-9370-25e244560587.mspx

--- AD command line tools.
http://www.somarsoft.com/ -- dumpsec
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/e01d44c1-6018-4ac0-a419-79f9ad547d37.mspx

--- dsacls syntax
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b1007de8-a11a-4d88-9370-25e244560587.mspx

-- secedit syntax

> I'm reviewing all user and group accounts in our domain. Of particular
> interest is the users and groups ability to affect other portions of AD.
> Unfortunately so far this has consisted of me going into the properties of
> each user and group and creating a massive spreadsheet detailing all
> rights.
>
> Is anyone aware of any tools or scripts that would allow me to automate
> the
> process? Peferably something that is not required to be installed on the
> DC.
>
> Thanks a bunch everyone?
>
> Cindy



Posted by Thomas on January 13, 2006, 2:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> I'm reviewing all user and group accounts in our domain. Of particular
> interest is the users and groups ability to affect other portions of AD.
> Unfortunately so far this has consisted of me going into the properties of
> each user and group and creating a massive spreadsheet detailing all
> rights.
>
> Is anyone aware of any tools or scripts that would allow me to automate
> the
> process? Peferably something that is not required to be installed on the
> DC.
>
> Thanks a bunch everyone?
>
> Cindy

AccessEnum
http://www.sysinternals.com
PermissionAnalyzer
http://www.permissionanalyzer.com
DumpSec
http://www.somarsoft.com



Similar ThreadsPosted
Aging User objects with Active Directory August 8, 2005, 10:15 am
Reset All User Account Passwords in Active Directory October 11, 2006, 9:02 pm
active directory August 24, 2005, 6:52 pm
Active Directory and DMZ February 11, 2008, 10:12 am
Need help on Active directory server August 12, 2005, 6:29 am
Active Directory and SSL Certificates January 11, 2006, 5:08 pm
dates in active directory February 20, 2008, 6:04 pm
Using IPSec with Active Directory authetication September 5, 2005, 2:52 am
IIS 6 w/ NT 4.0 and Active Directory Domain Accounts October 11, 2005, 1:16 pm
Active Directory Authentication over Firewalls January 31, 2006, 1:42 am

The site map in XML format XML site map

Contact Us | Privacy Policy