none
Active Directory - Get What Effective Permissions Certain groups have on Specific Objects

    Question

  • Hello,

    I’m having an issue where in the same OU, for random user objects, standard user accounts have more permissions that they should. For example, an OU named Sales, contains 300 user accounts; when I run, PowerShell Get-ADUser and get all the properties for the users, for 150 of those users I see data showing in some of the attributes I shouldn’t be able to see with my standard non-privilege account (I have verified other standard accounts see the same info). I have checked the Security tab Advance permissions on some of these objects and there are three groups that could be the culprit, Everyone, Domain User, and Authenticated Users. The three groups are listed several times with Special permissions. What I need help with is a way to export the effective permissions for each of the three groups in a way that can be not too difficult to view and compare them to the objects which permissions are set correctly (csv or Excel perhaps); Even if I have to compare one random user object at a time. If I find what is different, I can find out what needs to be corrected. Unfortunately, I have not been able to find a common denominator among the objects having the issue, but I have been doing it manually using  

    If there is a better way to figure this issue out I would like to know please. Any assistance will be greatly appreciated.

    Thursday, January 19, 2017 3:39 PM

All replies

  • Hi,
    Regarding to export the permissions, I would suggest to have a try taking look at the following blog and try the suggested tool to export the effective permissions:
    Effective Rights – What can users do?
    https://blogs.technet.microsoft.com/pfesweplat/2013/10/08/effective-rights-what-can-users-do/
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by crazyquacker Tuesday, October 24, 2017 10:30 AM
    Friday, January 20, 2017 6:22 AM
    Moderator
  • You can follow below steps to view and export AD delegate permissions assigned to an OU:  

    1) Open the ADUC and click View menu and check Advanced Features.

    2) Locate the specific OU and right click, then choose Properties.

    3) Click the Security tab, click Advanced tab. All the permissions as well as the delegated permissions listed.

    4) Export all permission assigned on specific OU to a text file

    Else, you can use dsacls tool https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx to export all the security ACL on specific OU to a text file.
    Also, please check this link too - https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx
    Friday, January 20, 2017 10:17 AM
  • Thank you Wendy, I did see that blog, but unfortunately I cannot install any apps in the environment that have not been approved by upper management. Those approvals can take months.
    Friday, January 20, 2017 2:36 PM
  • Hello Andres, thanks

    The steps you listed above is how I have been checking them so far, but the issue is that each OU has 100 of groups delegated which makes it difficult. That is why if there is a way that I can see for example:

    1. For a computer named Computer1 export all the effective permissions Domain Users have.

    Some thing like that, BTW the link you included above is something I had found, but the link takes me to an unrelated website, Windows Server 2003/2003 R2 Retired Content.

    Friday, January 20, 2017 2:50 PM
  • Hello Andres, thanks

    The steps you listed above is how I have been checking them so far, but the issue is that each OU has 100 of groups delegated which makes it difficult. That is why if there is a way that I can see for example:

    1. For a computer named Computer1 export all the effective permissions Domain Users have.

    Some thing like that, BTW the link you included above is something I had found, but the link takes me to an unrelated website, Windows Server 2003/2003 R2 Retired Content.

    Hi Maya,

    The links has been updated.

    Monday, January 23, 2017 7:29 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 30, 2017 8:15 AM
    Moderator