Question : How do I export active directory delegation permissions & rights?

Hi, I'd like to export the existing security permissions or delegations within my Active Directory, i.e. who/which "administrator group" has what rights on each OU. Basically I need to review all the delegations and do changes to make it more secure.

Does anyone know of a script or tool that can easily do this kind of task?

Answer : How do I export active directory delegation permissions & rights?

you can script out the permissions. There are a couple issues (which could be modified with the script)
a) you need to change the script to iterate through all objects (right now you have to hard code it
b) the script doesn't write out the name of the object whose ACLs are being denoted
c) for the type of permissions it gives a SID code, you might want to map this out so it makes sense
On Error Resume Next
'Declare all constant variables
CONST ADS_ACEFLAG_INHERIT_ACE = 2
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
CONST ADS_ACETYPE_ACCESS_DENIED = &H1
CONST ADS_ACETYPE_SYSTEM_AUDIT = &H2
CONST ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
CONST ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
CONST ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
CONST ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
CONST ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_WRITE_PROP = &H20
const ADS_OPTION_SECURITY_MASK = 3
const ADS_SECURITY_INFO_DACL = 4

Const ADS_SCOPE_SUBTREE = 2

'======================================================================================================
'Main Body of Script
'======================================================================================================

'Declare global variables and connect to OU
Const ForWriting = 2
Set ofso = CreateObject("Scripting.FileSystemObject")
Set ofso1 = CreateObject("Scripting.FileSystemObject")
Set objCommentFile = oFSO.OpenTextFile("c:\AddedToMailboxGroup.xls", _
ForWriting, TRUE)
Set objCommentFile1 = oFSO.OpenTextFile("c:\AddedToSendAsGroup.xls", _
ForWriting, TRUE)
'in the following line you need to set the ldap connection to reflect the path in AD
      Set oContainer = GetObject("LDAP://ou=workstations,DC=your domain,DC=com")

      For Each oAccount in oContainer
            wscript.echo oAccount.displayName
            'Get the Security Info for the object
                  wscript.echo oaccount.cn & " cn info"
                  Set NTFS = oAccount.Get("ntSecurityDescriptor")
                  set dacl1= NTFS.discretionaryACL
                  Set objAce1 = CreateObject("AccessControlEntry")
                  wscript.echo objAce1.Trustee
                  objAce1.AceFlags = 0
                  objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                  objAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
                  objAce1.ObjectType = "{AB721A54-1E2F-11D0-9819-00AA0040529B}"
                  objAce1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
                  dacl1.AddAce objAce1

                  For each Ace1 in Dacl1
                        Wscript.echo "Ace.Trustee: " & Ace1.Trustee

                                    objCommentFile1.Write ace1.trustee & vbtab & ace1.ObjectType & vbtab & ace1.accessmask & vbtab & ace1.AceType & vbtab & vbcrlf
                                    objCommentFile1.Write ace1.trustee & vbtab & ace1.accessmask & vbtab & ace1.AceType & vbtab & vbcrlf

                  Next
            wscript.echo
            wscript.echo
            Next

Wscript.echo "Script is finished running."

Random Solutions

Can't Ghost HP 2133 Mini Note

how to find index is local or global?

dump database & load database

OWA 2007 time zone issue

sql trigger - compare new and old value after update

Volume Control in system tray?

Who is the female artist that sings "Goodtime" on the Windows 95 CD?

sql if else syntax

error that occurred D109-Bad parameter

Bandwidth limiter