We can view the assigned permissions on an Organizational Unit (OU) in the graphical user interface, also we can use Active Directory Users and Computers console, but we must enable
Advanced Features under view (Figure-1).
After enabled, right click on OU (for example OU=NewYork), select Properties
Now, select Security tab, than select Advanced
button. In Permissions tab (other name is Discretionary Access Control List - DACL), you can see
ACEs lists (Figure-3).
The assigned permissions can be display in the form of access control entries (ACE) with the command tool DSREVOKE and can be removed too.
For example, We need view User=Ed.Price permissions on OU=NewYork, run this command (Figure-4):
Dsrevoke /Report OU=NewYork,DC=Contoso,DC=Com Contoso\Ed.Price
Ed.Price has 2x ACEs (ACE #1 and ACE #2). Now, for example we check ACE #2 on Active Directory Users and Computers console (Figure-5).
You see ACE #2 is Create and Delete User objects.
Now, we need remove or delete Ed.Price delegated permissions from NewYork OU. We run this command (Figure-6):
(The following security prompt when deleting must be confirmed with a "y")
Dsrevoke /Remove OU=NewYork,DC=Contoso,DC=Com Contoso\Ed.Price
All permissions of a user or group from a specific container, such as OU and thus also of the underlying objects are removed with this command:
Dsrevoke /Remove "/root:<DN of the OU>" Domain\sAMAccountName
Liza is a free tool for Active Directory environments which allows you to display and analyze object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD
We can use LIZA and view Ed.Price delegated permissions on NewYork Organizational Unit (OU).
Click on NewYork OU and you can see on Security Descriptor (right site), permissions tab, Ed Price delegated permissions (Figure-7).
We can see ACE in detail. Click on Ed Price name (which you need see details), then Click Show ACL (Figure-8)
Now, we can see Ed Price has Create and Delete User objects permissions on NewYork OU (Figure-9).
Sometimes we have many OUs and we only want to see that user has delegated permission to which OUs.
We can use this batch file.
IF NOT DEFINED ACCOUNT GOTO USAGE
FOR /F "usebackq delims=XXX tokens=1" %%i IN (`dsquery ou`) DO (
dsacls %%i | find /I "%1" > nul
IF ERRORLEVEL 1 (
echo Account %1 has no explicit entries in DACL
) ELSE (
echo Account %1 has explicit entries in the DACL of %%i
echo USAGE: %0 [account name or security group]
echo EXAMPLE: %0 Administrator
You can use this command and export informaion to .txt file:
DelegateView.bat Contoso\Ed.Price >DelegateOUs.txt
To view the ACEs of an OU by using Ldp.exe, follow this steps:
Run LDP.exe, In LDP, on the Connection menu, click Connect to connect to a domain or a specific domain controller.
In the Connect dialog box, in the Server box, type a server name or leave the entry blank to connect to the local server, and then click OK (in my example: DC1.Contoso.Com).
On the Connection menu, click Bind.
In the Bind dialog box, type a user name and password (I logged on server with Administrator), and then click OK to bind to Active Directory.
On the View menu, click Tree. In the BaseDN box, either type a specific distinguished name (DN) or leave BaseDN blank to view the entire domain. I typed OU=NewYork,DC=Contoso,DC=Com for my example.
To view the security descriptor of an OU, right click the OU in the tree view, select Advanced,select Security Descriptor, and then in the Security Descriptor dialog box, click OK.
Now, we can see Ed.Price ACEs and all other ACEs on OU=NewYork. We can Add, Delete and Edit ACEs.
For example, I click on Ed.Price, then selecht Edit ACE button. We can see Ed.Price has Create and Delete User objects delegated permissions on OU=NewYork.
For example, we want to view, who has delegation permission on Employee organization unit and which permission (my Domain name is Contoso.com). Here is command:
ACLDiag.exe "OU=Employee,DC=Contoso,DC=Com" /chkdeleg
First, we look to the Delegation Template Diagnosis part. From this part, show Ed.Price has some delegation permission, but what is
@dsuiwiz.dll,-301 or @dsuiwiz.dll,-302 and etc.??!!!
Don't worry. I show you, what is @dsuiwiz.dll,-301 or etc.
We must edit delegwiz.inf file. The delegwiz.inf file is located under Windows 2000 and Windows Server 2003 in the directory
%windir%\Inf and Windows Server 2008 and 2008 R2 in the directory
Open delegwiz.inf with Notepad (you must have permission to change and save this file). As default delegwiz.inf has 13 templates. Microsoft has released a total of 70 templates on this page (Appendix
O: Active Directory Delegation Wizard File).
Now, you can see template1 Delegation description is
Description = "@dsuiwiz.dll,-301".
I remove Description = "@dsuiwiz.dll,-301" and set Description = Create, delete, and manage user accounts.
I run this command again:
Now, we can see Ed.Price delegation permission with correct descriptions.
AdFind created by
Joe Richards. He is great Active Directory MVP and created more Free Tools
AdFind Usage and examples.
I run this command to view Ed.Ptice delegation permissions on Employee organization unit (my Domain name is Contoso.com).
AdFind -b "OU=Employee,DC=Contoso,DC=Com" -s base nTSecurityDescriptor -sddl++ -resolvesids
Info fot this command:
2- -s scope
Scope of search. Base, One[Level], Sub[tree].
is security descriptor for the schema object.
Decode of security descriptors. This will take an sd such as ntSecurityDescriptor and decode it to sddl.
Resolve sids to names
Now, we can view Ed.Price delegation permissions and all other permissions on Employee organization unit.
When we need to view delegation permission for specific User or Group, we run this command, here we will view just Ed.Price delegation permissions on Employee organization unit:
Adfind -b "OU=Employee,DC=Contoso,DC=Com" -s subtree –f (objectClass=organizationalUnit) nTSecurityDescriptor -sddl++ -resolvesids -sddlfilter ;;;;;"CONTOSO\Ed.Price" -sddlnotfilter ;inherited -recmute
Now, I need all Ed.Price delegation permissions on all OUs in Domain. I run this command:
Adfind -b "DC=Contoso,DC=Com" -s subtree –f (objectClass=organizationalUnit) nTSecurityDescriptor -sddl++ -resolvesids -sddlfilter ;;;;;"CONTOSO\Ed.Price" -sddlnotfilter ;inherited -recmute
Ed.Price has delegarion permissions on NewYork and Employee OUs.
Now, I will view Ed.Price on which Computers has specific permissions in Domain. I run this command:
Adfind -b "DC=Contoso,DC=Com" -s subtree –f (objectClass=computer) nTSecurityDescriptor -sddl++ -resolvesids -sddlfilter ;;;;;"CONTOSO\Ed.Price" -sddlnotfilter ;inherited -recmute
Ed.Price has specific permissions on NPS and CLIENT1
We can view all permission for the Employee organization unit with the following command:
The all permissions for the Employee organization unit in a .TXT are listed with the following command:
Dsacls OU=Employee,DC=Contoso,DC=Com > C:\Dsacls.txt
The default permissions of the Employee organization unit in the domain can be reset as follows:
Dsacls OU=Employee,DC=Contoso,DC=Com /S
The permissions of an specific User or a Group can be removed with this command (example, User=Ed.Price, OU=Employee, Domain=Contoso.com):
Dsacls OU=Employee,DC=Contoso,DC=Com /R Contoso.com\Ed.Price
We can use userPrincipalName (UPN) in this command too:
Dsacls OU=Employee,DC=Contoso,DC=Com /R Ed.Price@Contoso.com
I used Windows PowerShell ISE in this example with QUEST PowerShell. Open Windows PowerShell ISE with Run as administrator.
Run the following command to load the Quest PowerShell commands.
Now, we can view all permission for the Delegation organization unit with the following command:
Get-QADObject 'contoso.com/delegation' -SecurityMask Dacl | Get-QADPermission -UseExtendedMatch -Inherited -SchemaDefault -Property ('sAMAccountName','name')
But, we will view just delegation permission for the Delegation organization unit with the following command:
$Deleg=Get-QADObject 'contoso.com/delegation' -SecurityMask Dacl -SizeLimit 0 | Get-QADPermission -UseTokenGroups
Now, run the following command:
$Deleg | FT Account,TargetObject,Rights,RightsDisplay
As you see, a user (r.mueller) and a group (SecGlobalGroup) have delegation permission, but who is member of this group?
We use this command to see who is member of SecGlobalGroup group:
Get-QADGroupMember "SecGlobalGroup" -indirect
As you see, two users (Ed Price & user 2) and a group (SecDLGroup) have delegation permission too.
Now, we will see which delegation permission has Ed Price on all objects in domain, we run the following command:
$Deleg=Get-QADObject -SecurityMask Dacl -SizeLimit 0 | Get-QADPermission -Account ('contoso\ed.price') -Inherited -SchemaDefault -Verbose
Now, run the following command:
Other example, we will show who has WriteProperty Right on Ed Price user account, run the following command:
Get-QADUser 'contoso\ed.price' -SecurityMask Dacl | Get-QADPermission -Rights 'WriteProperty' -UseExtendedMatch -Inherited -SchemaDefault -Verbose -Allow -Property ('sAMAccountName','name')
With PowerShell you can find more examples, here is a very good article:
Best Practice: How to delegate AD permission to Organisational Units using the PowerShell command
Add-QADPermission (Alan Burchill - MVP)
Robin Granberg (MSFT) created a great PS GUI Tool. This tool creates reports of the access control list for all of your Active Directory objects. With these reports
you can see what/where and when permissions have been set.
You can read article about AD ACL Scanner 1.2 in this link:
Take Control Over AD Permissions and the AD ACL Scanner Tool
You can download from this link:
AD ACL Scanner 1.2
Active Directory attributes in the ADUC GUI tool