DSQuery Command to List all Security Descriptors in Domain For All OU's

Posted on 2010-03-30
Medium Priority
Last Modified: 2012-05-09
Hello, is there a DSQUERY that I can run that will show/tally up all of the Security Descriptors for ALL OU's within my domain?  The items I'm needing to tally up are located under the Security tab of each group in AD under it's properties.  I'd like to filter out the following:  "System Admin,Domain Admins,Schema Admins,Account Operators,Print Operators,Enterprise Domain Controllers,Password Manager,System,Pre-Windows 2000 Compatible Access,MigrateSIDHistory"  I'd then like to push the results say to a text file >>c:\totalsecuritydescriptors.txt
Question by:itsmevic
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 29117123
Take a look at the following question Joe helped with (great work by Joe)


Several versions that may help you

with a tool like adfind I can do something like

adfind -default -f objectcategory=organizationalunit -sddl++ -resolvesids

and you can add a -sddlnotfilter (but that won't filter out every group)

there is also the dsrevoke tool with the /report switch but the scripts in the question above are better



Author Closing Comment

ID: 31709055

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question