[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

Delegation of Control that are in place

Is there a way of seeing what Delegation of Control wizards are already in place on the network?

eg. see if there are accounts that can reset passwords?
3 Solutions
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Kinda... What the Delegation of Control wizard does is assign the appropriate permissions for the selected task. So to see what's been assigned so far you can look at the ACLs of the various objects in question.

To do so:
- open ADUC
- click View and make sure Advanced Features is selected
- right-click the object of choice and select Properties > Security tab
You can also view the permissions that have been assigned to a particular domain or container by using dsacls or dsrevoke, both free command-line tools from the MS website.  

There's not an easy way to say "Take user account jsmith and tell me what rights it has within the directory", since permissions are stored on the objects themselves rather than on the users that have been -granted- those permissions, and users-to-permissions is typically a many-to-many relationship.  You need to query the objects/containers themselves to determine which users/groups have rights to them.
Some sysinternals tools can help you here. They have been created just to solve this problem: enumerate who has access to what.
Have a look here http://www.microsoft.com/technet/sysinternals/securityutilities.mspx?wt.svl=featured.
AccessChk, AccessEnum & ShareEnum should be able to help you.

Forced accept.

EE Admin

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now