Delegation of Control that are in place

Posted on 2007-09-29
Last Modified: 2010-05-18
Is there a way of seeing what Delegation of Control wizards are already in place on the network?

eg. see if there are accounts that can reset passwords?
Question by:andrewjones1987
    LVL 18

    Accepted Solution

    Kinda... What the Delegation of Control wizard does is assign the appropriate permissions for the selected task. So to see what's been assigned so far you can look at the ACLs of the various objects in question.

    To do so:
    - open ADUC
    - click View and make sure Advanced Features is selected
    - right-click the object of choice and select Properties > Security tab
    LVL 30

    Assisted Solution

    You can also view the permissions that have been assigned to a particular domain or container by using dsacls or dsrevoke, both free command-line tools from the MS website.  

    There's not an easy way to say "Take user account jsmith and tell me what rights it has within the directory", since permissions are stored on the objects themselves rather than on the users that have been -granted- those permissions, and users-to-permissions is typically a many-to-many relationship.  You need to query the objects/containers themselves to determine which users/groups have rights to them.
    LVL 18

    Assisted Solution

    Some sysinternals tools can help you here. They have been created just to solve this problem: enumerate who has access to what.
    Have a look here
    AccessChk, AccessEnum & ShareEnum should be able to help you.

    LVL 1

    Expert Comment

    Forced accept.

    EE Admin

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now