• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2420
  • Last Modified:

How can I compare the settings of two Active Directory accounts?

I have a problem that I believe boils down to permissions on the user accounts.

Is there a free tool that will examine two accounts and tell me the differences in permissions and security settings?

I'd like to compare a known good account with a problematic account to see if there are any differences.

0
Robmonster
Asked:
Robmonster
3 Solutions
 
Chris DentPowerShell DeveloperCommented:

It depends which permissions you're looking, and what is broken and causing you problems.

For example, you have these you can pick from to start with:

Security descriptor on the user account
Security descriptor on the mailbox
Any file level security descriptors

Can you tell us anything about the problem that might help us decide which we need to examine?

Chris
0
 
RobmonsterAuthor Commented:
It relates to setting Exchange permissions, pas per my other question here:-

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24126423.html

I posted this as a separate question to avoid muddying the water.

Rob
0
 
milindnCommented:
You can use DSACLS to dump the ACLs on different objects. Free with windows. Another way is to use LDP.exe to examine the attribute differences on desired user accounts.

See http://support.microsoft.com/kb/281146 and
http://technet.microsoft.com/en-us/library/cc775942.aspx

M
0
 
Chris DentPowerShell DeveloperCommented:

We have a few different areas to deal with, not all of them explicit permissions.

Lets cover Send On Behalf first. You find this in the GUI (as I'm sure you know) under Exchange General \ Delivery Options \ Send On Behalf. That isn't actually an access right, it populates an attribute called publicDelegates in Active Directory. Can you see if the account mentioned is listed?

As far as I know, Send On Behalf takes precedence over any Send As permission.

The Send As permission itself is configured in the User Account Security Descriptor. From AD Users and Computers: View / Advanced, then select the Security Tab and see who is listed with Send As permission.

Chris
0
 
sandeep_narkhedeCommented:
DSACLS is the best way as suggested by Milind, also you may want to get a dump of attributes using LDP tool , if you need to compare the accounts beyond just permissions.

By the way if you could elaborate the issue, we may be able to assist better
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now