Active Directory Reporting

Hi,
I wanted to know if its possible to run some kind of report within AD to find any accounts that can do the following ADMIN tasks. (LDAP query or something?)

I'm not sure how you know or where this authority is even set.
I know you can get this access via access to a group like "domain admins" however is it possible to be given access directly? outside of this group?

This is to close down a security/audit issue.

•         Group Management Tasks
•         Modify group membership (WP on the group object to modify Members attribute)
•         Modify the scope of the group (WP on the group object to modify Group-Type attribute)
•         Delete a group (SD on the group object itself OR DC on parent object (to delete objects of class Group))
•         Create a group (CC on parent object (to create objects of class Group))

•         User Account Management Tasks
•         Create a user account in disabled state (CC on parent object (to create objects of class User))
•         Create a user account (CC on parent object (to create objects of class User), WP on the user object to modify User-Account-Control attribute, Extended Right “Reset Password” required on user account)
•         Delete a user account (SD on the user object itself OR DC on parent object (to delete objects of class User))
•         Disable a user account (WP on the user object to modify User-Account-Control attribute)
•         Unlock a user account (WP on the user object to modify the Lockout-Time attribute)
•         Enable a disabled user account (WP on the user object to modify User-Account-Control attribute)
•         Reset a user account’s password (The User-Change-Password extended right is required on the user object)
•         Specify the computers from which a user can log on (WP on the user object to modify User-Workstations attribute)
•         Set User cannot change password for a user account (WD on the user object)
•         Set Password Never Expires for a user account (WP on the user object to modify User-Account-Control attribute)
•         Disable a user account (WP on the user object to modify User-Account-Control attribute)
•         Specify the date when a user account expires (WP on the user object to modify Account-Expires attribute)
•         Add a user account to a group (WP on the target Group object to modify Member attribute)
•         Remove the user from a group (WP on the target Group object to modify Member attribute)
•         Create a user account in disabled state (CC on parent object (to create objects of class User))
Create a user account (CC on parent object (to create objects of class User), WP on the user object to modify User-Account-Control attribute, Extended Right “Reset Password” required on user account, SD on the user object itself OR DC on parent object (to delete objects of class User))
•         Disable a user account (WP on the user object to modify User-Account-Control attribute)
•         Unlock a user account (WP on the user object to modify the Lockout-Time attribute)
•         Enable a disabled user account (WP on the user object to modify User-Account-Control attribute)
•         Reset a user account’s password (The User-Change-Password extended right is required on the user object)

•         Group Policy Management Tasks

•         Modify Site Group Policy Options (WP on the corresponding site object, cn=<Site>, cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute)
•         Edit a Group Policy object (Requires “Edit Settings” on the GPO)
•         Modify security on a Group Policy object (Requires “Edit Settings, Delete, Modify Security” on the GPO)

•         Computer Management Tasks
•         Rename a computer account (WP on the computer object to modify all attributes)
•         Create a computer account (CC on parent object (to create objects of class Computer))
•         Rename a computer account (WP on the computer object to modify all attributes)
•         Move a computer account (SD on the computer object itself OR DC on parent object (to delete objects of class Computer), CC on target parent (to create objects of class Computer), WP on the computer object to modify Common-Name attribute, WP on the computer object to modify RDN attribute)
•         Disable a computer account (WP on the computer object to modify User-Account-Control attribute )
•         Specify the Pre-Windows 2000 compatible name for a computer (WP on the computer object to modify SAM-Account-Name attribute)
•         Set a computer’s DNS name (Validated-DNS-Host-Name SW on the computer object)
•         Reset a computer account (The Force-User-Change-Password extended right is required on the computer object)
•         Add a computer account to a group (WP on the target group object to modify Member attribute)
•         Specify that a computer account be trusted for delegation (WP on the computer object to modify User-Account-Control attribute, the Enable computer and user accounts to be trusted for delegation user right is required — modified in Default Domain Controller Security Policy)
•         Specify whether a computer account can be trusted for delegation to any service (Kerberos only) (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy))
•         Specify that a computer account be trusted for delegation to specific services only  (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy), WP on the computer object to modify msDS-AllowedToDelegateTo attribute)
•         Specify “Use Kerberos Only” (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy), WP on the computer object to modify msDS-AllowedToDelegateTo attribute)
•         Specify “Use any authentication protocol” (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy))
•         (WP on the computer object to modify msDS-AllowedToDelegateTo attribute )
•         Add/Remove the services to which a computer account can be present delegated credentials (WP on the computer object to modify msDS-AllowedToDelegateTo attribute )
•         Move a computer account (SD on the computer object itself OR DC on parent object (to delete objects of class Computer), CC on target parent (to create objects of class Computer), WP on the computer object to modify Common-Name attribute, WP on the computer object to modify RDN attribute)
Disable a computer account (WP on the computer object to modify User-Account-Control attribute )
jamiepryerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sushil SonawaneCommented:
You can achieve these through AD manager plus.

For more info and download refer below link :

http://www.manageengine.com/products/ad-manager/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jamiepryerAuthor Commented:
hey
i need to do this outside of a product.
i basically already have a product that can query the AD, so i just need to know what to look for first, so i can tweak that.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.