Solved

Checking my access in AD

Posted on 2011-03-14
14
550 Views
Last Modified: 2012-05-11
Hi Folks,

Is there a quick and non-intrusive way to check my user access level in AD? I don't think I am the domain admin but I just want to make sure.

Thanks.
0
Comment
Question by:Decarn
  • 5
  • 3
  • 3
  • +2
14 Comments
 
LVL 8

Expert Comment

by:andoss
Comment Utility
You could open a cmd prompt and run gpresult /r
That will list all the security groups you are a member of however those groups could still be members of other groups...
Do you have access to AD using the Active Directory User's and Computers mmc?
If so you could check what groups you are a member of then check what groups those groups are a member of etc...

There may be an easier way but if so I don't know it sorry.
0
 
LVL 17

Accepted Solution

by:
Premkumar Yogeswaran earned 167 total points
Comment Utility
HI,
Open ADUC
Goto view -> select advanced feature

Now right click OU or a USER and clck property.

There goto security tab -> click advanced

Goto effective permission tab

there select your user name and check for the access you have in AD.

Regards,
Prem
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
The answer to this question depends completely on where you want to check.

As mentioned, group membership is one method, you coukd use DSGET by running the following:


DSQUERY USER -samid your_user_name | DSGET USER -memberof -expand
0
 
LVL 2

Expert Comment

by:SyedJan
Comment Utility
the simple and easy way is to login into any computer joined with the domain and open up cmd and type gpresult /v , once it collect the info then find THE USER IS PART OF THE FOLLOWING SECURITY GROUPS section , you can see what your user account membership,
0
 

Author Comment

by:Decarn
Comment Utility
Many thanks for the swift reply.

My main purpose is to ensure that I do have the rights to mess around with the AD in anyway. i.e. add, delete, edit AD users, computers and membership, delegate control etc.

I have gone into ADUC and check my account and I know I am a member of a few groups. Correct me if I'm wrong, although none of those groups is named "Domain Administrators", there is still a possibility that one of these groups is a member of "Domain Administrators".

I couldn't get gpresult to work on my PC, some file is missing. I could log in using another person computer though but there would be a little inconvenient. Since I have ADUC, is there any way to verify using that?
0
 
LVL 2

Expert Comment

by:SyedJan
Comment Utility
hello,

when you login into the computer and when you type gpresult /v you will have to find the section in attached screen shot, and check if your user is the member of domain admin,
if this not works for you then you can apply this way,

if you have ADUC then click right click on user and go to properties and and then MemberOf  tab and check if your user is the member of Domain Admins,Schema Admin and Enterprise admin, if you were the member of those groups then you are full administrator of the system,

if you are only the member of domain admins then you can do the mentioned things you require,

let me know if you need further assistance




gpreusltv.bmp
0
 

Author Comment

by:Decarn
Comment Utility
Hi SyedJan,

As long as in ADUC, I am not a member of Domain Admins,Schema Admin and Enterprise admin group, means don't have any privilleages to mess with the AD?

Is there a possibility say for exampleI am am member of "Information" group and "information" group is a member of the "Domain Admins" group?

Also, any normal user view all the accounts in AD as long as they install ADUC?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
Hi,

Now u found the user is member of domain admin group..!

if you want to check the permission on the user account, follow the steps i posted above.

It will show the permission you have to an object

Regards,
Prem
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
Yes, normal user can also view the user account if adminpak is installed in there system..

but it will be grayed out.. only they have read access.
0
 
LVL 2

Assisted Solution

by:SyedJan
SyedJan earned 166 total points
Comment Utility
let say that there is a group called information and your user is the member of that group and information group is the member of domain admin group then you are the administrator of the domain. because information group is the member of the domain admin, it is all due inheritance , the permission inherits from the parent member in this case r the parent is the domain admins,
can you  open ADUC go users OU and find domain admin, right click and go to properties and see Member Of and Member tab if your information group is member then it will be listed here.also check Shema Admin and Enterprise admin in similar. Also find information and go to properties and check Member Of and Member Tab. In Member Of tab it shows groups that is is the member and Member tabs shows all users who are the member of the group.


let me know how you proceeds with that,  
0
 
LVL 2

Expert Comment

by:SyedJan
Comment Utility
and yes normal users can view active users and computer users snap in but can't add any things as it is read only access,

if you can make any membership or add any test user account  then you have admin rights......

0
 
LVL 8

Assisted Solution

by:andoss
andoss earned 167 total points
Comment Utility
As discussed in my first post if you check what groups you are a member of and then what groups those groups are a member of you will know whether you have domain admin permissions or not.
0
 

Author Comment

by:Decarn
Comment Utility
Hi Folks,

Appreciate your input. I guess the easiest way is to check which groups I am in and then to check if these groups are in Domain Admins,Schema Admin and Enterprise admin group.
0
 
LVL 2

Expert Comment

by:SyedJan
Comment Utility
yes you are right ,
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now