Help! How do I see what OS management rights a Group has?

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

Hi,
I am trying to figure out how I can see what rights a specific group
has in an active directory domain. Not what rights the group has to a
file system but what OS rights they have.

I am taking over management of a domain that I didn't build. It is a
windows 2000 domain with active directory (I have previously only
managed NT domains). There are several users put into several different
groups. HelpDesk, Assistants, CallCenter, etc, etc. I am trying to go
back and document what rights HelpDesk and the other groups were
assigned at creation. I thought most rights would be assignsed from
'local security settings' but I don't see the information I am looking
for in there. For example, I know users in 'Help Desk' can reset/change
passwords from testing with their IDs (and help desk isn't part of a
built in like account operators). Is there somewhere in a gui or a
command line option to list all rights a group was given at creation?

If I click on the group properties I only see, members, members of,
etc.

Thanks for any advice!
M

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

The situation is really no different in post-NT4 compared to NT4.

The systems may be called on to show what constitutes a group, or
what group(s) are given specific grants, but not to invert the inquery
and show all grants given to a specific group.

For that, given that you are not in a position to do the right thing
and address this with design, implementation practices, and change
control (i.e. with doc capture/update), you are in a position where
you need to recurse over all (likely first) securable objects in order
to start to answer your question. AD objs/attribs, NTFS, reg, COM+,
user rights, etc. does not matter, you will have to enumerate over them
and correlate the grants (or buy a product)

--
Roger Abell
Microsoft MVP (Windows Security)

<gretzkygirl44@yahoo.com> wrote in message
news:1116881001.153509.291750@g43g2000cwa.googlegroups.com...
> Hi,
> I am trying to figure out how I can see what rights a specific group
> has in an active directory domain. Not what rights the group has to a
> file system but what OS rights they have.
>
> I am taking over management of a domain that I didn't build. It is a
> windows 2000 domain with active directory (I have previously only
> managed NT domains). There are several users put into several different
> groups. HelpDesk, Assistants, CallCenter, etc, etc. I am trying to go
> back and document what rights HelpDesk and the other groups were
> assigned at creation. I thought most rights would be assignsed from
> 'local security settings' but I don't see the information I am looking
> for in there. For example, I know users in 'Help Desk' can reset/change
> passwords from testing with their IDs (and help desk isn't part of a
> built in like account operators). Is there somewhere in a gui or a
> command line option to list all rights a group was given at creation?
>
> If I click on the group properties I only see, members, members of,
> etc.
>
> Thanks for any advice!
> M
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

User rights/privileges will vary depending on the computer a user is logged
onto. User rights/privileges can be assigned in Local Security Policy or at
the domain/Organizational Unit level. For domain controllers look at Domain
Controller Security policy for user rights and keep in mind that in Windows
2000 that if the "effective" setting is different from the local setting
then a higher level policy is overriding the local policy. The tool whoami
will show the user rights when a user is logged onto a particular computer.

As far as the Help Desk users, they have been "delegated" permissions to an
Active Directory container that contains the user accounts they can manage.
There is no easy way to find out the delegated permissions other than to
view the permissions [including advanced page] of the AD container such as
an Organizational Unit. It may help to compare permissions to a freshly
created OU created under the domain container to compare permissions to. You
will also find the Group Policy Management Console immensely helpful in
managing and troubleshooting Group Policy and security policy is a subset of
Group Policy computer configuration. If you have an XP Pro computer in the
domain you can install it on that computer to use to manage Group Policy for
the domain. Of course that computer would need to be a secured admin
workstation as you will have to logon as a domain admin. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC

<gretzkygirl44@yahoo.com> wrote in message
news:1116881001.153509.291750@g43g2000cwa.googlegroups.com...
> Hi,
> I am trying to figure out how I can see what rights a specific group
> has in an active directory domain. Not what rights the group has to a
> file system but what OS rights they have.
>
> I am taking over management of a domain that I didn't build. It is a
> windows 2000 domain with active directory (I have previously only
> managed NT domains). There are several users put into several different
> groups. HelpDesk, Assistants, CallCenter, etc, etc. I am trying to go
> back and document what rights HelpDesk and the other groups were
> assigned at creation. I thought most rights would be assignsed from
> 'local security settings' but I don't see the information I am looking
> for in there. For example, I know users in 'Help Desk' can reset/change
> passwords from testing with their IDs (and help desk isn't part of a
> built in like account operators). Is there somewhere in a gui or a
> command line option to list all rights a group was given at creation?
>
> If I click on the group properties I only see, members, members of,
> etc.
>
> Thanks for any advice!
> M
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (More info?)

"gretzkygirl44" wrote:
> Hi,
> I am trying to figure out how I can see what rights a specific
> group
> has in an active directory domain. Not what rights the group
> has to a
> file system but what OS rights they have.
>
> I am taking over management of a domain that I didn't build.
> It is a
> windows 2000 domain with active directory (I have previously
> only
> managed NT domains). There are several users put into several
> different
> groups. HelpDesk, Assistants, CallCenter, etc, etc. I am
> trying to go
> back and document what rights HelpDesk and the other groups
> were
> assigned at creation. I thought most rights would be assignsed
> from
> 'local security settings' but I don't see the information I am
> looking
> for in there. For example, I know users in 'Help Desk' can
> reset/change
> passwords from testing with their IDs (and help desk isn't
> part of a
> built in like account operators). Is there somewhere in a gui
> or a
> command line option to list all rights a group was given at
> creation?
>
> If I click on the group properties I only see, members,
> members of,
> etc.
>
> Thanks for any advice!
> M

Hi,

Turn on advanced features and view the Security Rights on the OUs and
GPO’s. That, and maybe NTFS file permissions, would be the only reason
for creating separate groups.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-Help-OS-management-rights-Group-ftopict376332.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1227263