A. Windows Server 2003 and Windows 2000 Server provide helpful wizards for delegating permissions to users in AD. However, no wizard lets you view existing delegations. To do so, you must manually view the security settings that have been applied on containers and objects.
Microsoft recently released a tool that makes it easier to view existing permissions delegations. You can download the tool--called Dsrevoke--at Microsoft Web site. Dsrevoke reports on the permissions for a domain and/or organizational units (OUs) and also lets you remove permissions. For example, the following sample Dsrevoke command checks for permissions on the HelpDesk group in the demo domain and specifies the Testing OU in the demo.test domain:
dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk
The command displays these onscreen messages:
ACE #1 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: READ PROPERTY WRITE PROPERTY ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User ACE #2 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: EXTENDED ACCESS ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User # of ACEs for demo\helpdesk = 2
You can see in the output that the HelpDesk group has several access control entries (ACEs) for the Testing OU; however, the output information doesn't provide the exact permissions for the HelpDesk group. To determine this information, you must first enable the Advanced view in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Then, at the container's Properties page, select the Security tab and click the Advanced button. To view a group's permissions, select the Permissions tab, then select the group and click Edit, as the Figure shows. In this example, the HelpDesk group has permissions to reset passwords and to force a password change. Dsrevoke is most effective when delegation has been defined by using roles--that is, users are placed in a group, and the group is given permissions at a domain or OU level, instead of via individual objects.