Options

OU delegates question

SieSie Member Posts: 1,195
in Off-Topic
How can you check who has delegated control to an OU in AD?
(I know how to delegate control i just dont know how to check who is delegated! icon_confused.gif )

Cheers in advance.
Foolproof systems don't take into account the ingenuity of fools
· Share on FacebookShare on Twitter

Comments

  • Options
    eurotrasheurotrash Member Posts: 817
    I don't know either, but you can check the permissions and see who has what (special permissions) as this is what the delegation affects. Also you can check the effective permissions tab for a user/group to see what it has been delegated.
    Rudimentary, I know, and there must be a better way. icon_confused.gif
    witty comment
    · Share on FacebookShare on Twitter
  • Options
    blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    I always use the effective permissions thingy.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
    · Share on FacebookShare on Twitter
  • Options
    SieSie Member Posts: 1,195
    What i want to do is to find from an OU's who has access as apposed to know what groups have access to what OU's.

    Im trying to find the groups that are delegated to a specific OU and dont want to have to go through each group to check!! icon_eek.gif

    Something similar to the 'members' tab in a group secuirty setting rather than the 'member of' tab. (Hmmm.... making little sense i am. icon_rolleyes.gif )
    Foolproof systems don't take into account the ingenuity of fools
    · Share on FacebookShare on Twitter
  • Options
    Danman32Danman32 Member Posts: 1,243
    You probably would need a third party product that will do the backtracking for you. As it stands now, we are lucky we now have the 'effective permissions' tab as it is. Unfortunately you have to give the security principle you want to verify against the resource. You can't ask what security principles have indirect access to a specific resource through groups, though you can now get direct principle access through inheritance.

    Of course you could try extracting info using the command line utilities and write a script to process them.
    Get the groups that have permissions, then have the script expand out the group memberships recursively down to the user.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.