Checking my access in AD

Hi Folks,

Is there a quick and non-intrusive way to check my user access level in AD? I don't think I am the domain admin but I just want to make sure.

Thanks.
DecarnAsked:
Who is Participating?
 
Premkumar YogeswaranConnect With a Mentor Analyst II - System AdministratorCommented:
HI,
Open ADUC
Goto view -> select advanced feature

Now right click OU or a USER and clck property.

There goto security tab -> click advanced

Goto effective permission tab

there select your user name and check for the access you have in AD.

Regards,
Prem
0
 
andossCommented:
You could open a cmd prompt and run gpresult /r
That will list all the security groups you are a member of however those groups could still be members of other groups...
Do you have access to AD using the Active Directory User's and Computers mmc?
If so you could check what groups you are a member of then check what groups those groups are a member of etc...

There may be an easier way but if so I don't know it sorry.
0
 
Glen KnightCommented:
The answer to this question depends completely on where you want to check.

As mentioned, group membership is one method, you coukd use DSGET by running the following:


DSQUERY USER -samid your_user_name | DSGET USER -memberof -expand
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
SyedJanCommented:
the simple and easy way is to login into any computer joined with the domain and open up cmd and type gpresult /v , once it collect the info then find THE USER IS PART OF THE FOLLOWING SECURITY GROUPS section , you can see what your user account membership,
0
 
DecarnAuthor Commented:
Many thanks for the swift reply.

My main purpose is to ensure that I do have the rights to mess around with the AD in anyway. i.e. add, delete, edit AD users, computers and membership, delegate control etc.

I have gone into ADUC and check my account and I know I am a member of a few groups. Correct me if I'm wrong, although none of those groups is named "Domain Administrators", there is still a possibility that one of these groups is a member of "Domain Administrators".

I couldn't get gpresult to work on my PC, some file is missing. I could log in using another person computer though but there would be a little inconvenient. Since I have ADUC, is there any way to verify using that?
0
 
SyedJanCommented:
hello,

when you login into the computer and when you type gpresult /v you will have to find the section in attached screen shot, and check if your user is the member of domain admin,
if this not works for you then you can apply this way,

if you have ADUC then click right click on user and go to properties and and then MemberOf  tab and check if your user is the member of Domain Admins,Schema Admin and Enterprise admin, if you were the member of those groups then you are full administrator of the system,

if you are only the member of domain admins then you can do the mentioned things you require,

let me know if you need further assistance




gpreusltv.bmp
0
 
DecarnAuthor Commented:
Hi SyedJan,

As long as in ADUC, I am not a member of Domain Admins,Schema Admin and Enterprise admin group, means don't have any privilleages to mess with the AD?

Is there a possibility say for exampleI am am member of "Information" group and "information" group is a member of the "Domain Admins" group?

Also, any normal user view all the accounts in AD as long as they install ADUC?
0
 
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Hi,

Now u found the user is member of domain admin group..!

if you want to check the permission on the user account, follow the steps i posted above.

It will show the permission you have to an object

Regards,
Prem
0
 
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Yes, normal user can also view the user account if adminpak is installed in there system..

but it will be grayed out.. only they have read access.
0
 
SyedJanConnect With a Mentor Commented:
let say that there is a group called information and your user is the member of that group and information group is the member of domain admin group then you are the administrator of the domain. because information group is the member of the domain admin, it is all due inheritance , the permission inherits from the parent member in this case r the parent is the domain admins,
can you  open ADUC go users OU and find domain admin, right click and go to properties and see Member Of and Member tab if your information group is member then it will be listed here.also check Shema Admin and Enterprise admin in similar. Also find information and go to properties and check Member Of and Member Tab. In Member Of tab it shows groups that is is the member and Member tabs shows all users who are the member of the group.


let me know how you proceeds with that,  
0
 
SyedJanCommented:
and yes normal users can view active users and computer users snap in but can't add any things as it is read only access,

if you can make any membership or add any test user account  then you have admin rights......

0
 
andossConnect With a Mentor Commented:
As discussed in my first post if you check what groups you are a member of and then what groups those groups are a member of you will know whether you have domain admin permissions or not.
0
 
DecarnAuthor Commented:
Hi Folks,

Appreciate your input. I guess the easiest way is to check which groups I am in and then to check if these groups are in Domain Admins,Schema Admin and Enterprise admin group.
0
 
SyedJanCommented:
yes you are right ,
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.