Q. How can I view the state of Active Directory (AD) permissions delegations?

A. Windows Server 2003 and Windows 2000 Server provide helpful wizards for delegating permissions to users in AD. However, no wizard lets you view existing delegations. To do so, you must manually view the security settings that have been applied on containers and objects.

Microsoft recently released a tool that makes it easier to view existing permissions delegations. You can download the tool--called Dsrevoke--at Microsoft Web site. Dsrevoke reports on the permissions for a domain and/or organizational units (OUs) and also lets you remove permissions. For example, the following sample Dsrevoke command checks for permissions on the HelpDesk group in the demo domain and specifies the Testing OU in the demo.test domain:

dsrevoke /report /root:ou=testing,dc=demo,dc=test demohelpdesk

The command displays these onscreen messages:

ACE #1Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMOHelpDeskPermissions:READ PROPERTYWRITE PROPERTYACE Type: ALLOWACE does not apply to this objectACE inherited by all child objects of class UserACE #2Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMOHelpDeskPermissions:EXTENDED ACCESSACE Type: ALLOWACE does not apply to this objectACE inherited by all child objects of class User# of ACEs for demohelpdesk = 2

You can see in the output that the HelpDesk group has several access control entries (ACEs) for the Testing OU; however, the output information doesn't provide the exact permissions for the HelpDesk group. To determine this information, you must first enable the Advanced view in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Then, at the container's Properties page, select the Security tab and click the Advanced button. To view a group's permissions, select the Permissions tab, then select the group and click Edit, as the Figure shows. In this example, the HelpDesk group has permissions to reset passwords and to force a password change. Dsrevoke is most effective when delegation has been defined by using roles--that is, users are placed in a group, and the group is given permissions at a domain or OU level, instead of via individual objects.