How can I compare the settings of two Active Directory accounts?

Posted on 2009-02-10
Last Modified: 2012-06-21
I have a problem that I believe boils down to permissions on the user accounts.

Is there a free tool that will examine two accounts and tell me the differences in permissions and security settings?

I'd like to compare a known good account with a problematic account to see if there are any differences.

Question by:Robmonster
    LVL 70

    Expert Comment

    by:Chris Dent

    It depends which permissions you're looking, and what is broken and causing you problems.

    For example, you have these you can pick from to start with:

    Security descriptor on the user account
    Security descriptor on the mailbox
    Any file level security descriptors

    Can you tell us anything about the problem that might help us decide which we need to examine?

    LVL 6

    Author Comment

    It relates to setting Exchange permissions, pas per my other question here:-

    I posted this as a separate question to avoid muddying the water.

    LVL 8

    Accepted Solution

    You can use DSACLS to dump the ACLs on different objects. Free with windows. Another way is to use LDP.exe to examine the attribute differences on desired user accounts.

    See and

    LVL 70

    Assisted Solution

    by:Chris Dent

    We have a few different areas to deal with, not all of them explicit permissions.

    Lets cover Send On Behalf first. You find this in the GUI (as I'm sure you know) under Exchange General \ Delivery Options \ Send On Behalf. That isn't actually an access right, it populates an attribute called publicDelegates in Active Directory. Can you see if the account mentioned is listed?

    As far as I know, Send On Behalf takes precedence over any Send As permission.

    The Send As permission itself is configured in the User Account Security Descriptor. From AD Users and Computers: View / Advanced, then select the Security Tab and see who is listed with Send As permission.

    LVL 11

    Assisted Solution

    DSACLS is the best way as suggested by Milind, also you may want to get a dump of attributes using LDP tool , if you need to compare the accounts beyond just permissions.

    By the way if you could elaborate the issue, we may be able to assist better

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do email signature updates give you a headache?

    Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

    Suggested Solutions

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Use email signature images to promote corporate certifications and industry awards.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now