Re: Help! How do I see what OS management rights a Group has?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/27/05
- Next message: Steven L Umbach: "Re: Ask for shuting down"
- Previous message: IanH: "Re: Virus Checking Encrypted Email - Exchange & AD"
- In reply to: gretzkygirl44_at_yahoo.com: "Help! How do I see what OS management rights a Group has?"
- Next in thread: lforbes: "Re: Help! How do I see what OS management rights a Group has?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 17:52:28 -0500
User rights/privileges will vary depending on the computer a user is logged
onto. User rights/privileges can be assigned in Local Security Policy or at
the domain/Organizational Unit level. For domain controllers look at Domain
Controller Security policy for user rights and keep in mind that in Windows
2000 that if the "effective" setting is different from the local setting
then a higher level policy is overriding the local policy. The tool whoami
will show the user rights when a user is logged onto a particular computer.
As far as the Help Desk users, they have been "delegated" permissions to an
Active Directory container that contains the user accounts they can manage.
There is no easy way to find out the delegated permissions other than to
view the permissions [including advanced page] of the AD container such as
an Organizational Unit. It may help to compare permissions to a freshly
created OU created under the domain container to compare permissions to. You
will also find the Group Policy Management Console immensely helpful in
managing and troubleshooting Group Policy and security policy is a subset of
Group Policy computer configuration. If you have an XP Pro computer in the
domain you can install it on that computer to use to manage Group Policy for
the domain. Of course that computer would need to be a secured admin
workstation as you will have to logon as a domain admin. --- Steve
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
<gretzkygirl44@yahoo.com> wrote in message
news:1116881001.153509.291750@g43g2000cwa.googlegroups.com...
> Hi,
> I am trying to figure out how I can see what rights a specific group
> has in an active directory domain. Not what rights the group has to a
> file system but what OS rights they have.
>
> I am taking over management of a domain that I didn't build. It is a
> windows 2000 domain with active directory (I have previously only
> managed NT domains). There are several users put into several different
> groups. HelpDesk, Assistants, CallCenter, etc, etc. I am trying to go
> back and document what rights HelpDesk and the other groups were
> assigned at creation. I thought most rights would be assignsed from
> 'local security settings' but I don't see the information I am looking
> for in there. For example, I know users in 'Help Desk' can reset/change
> passwords from testing with their IDs (and help desk isn't part of a
> built in like account operators). Is there somewhere in a gui or a
> command line option to list all rights a group was given at creation?
>
> If I click on the group properties I only see, members, members of,
> etc.
>
> Thanks for any advice!
> M
>
- Next message: Steven L Umbach: "Re: Ask for shuting down"
- Previous message: IanH: "Re: Virus Checking Encrypted Email - Exchange & AD"
- In reply to: gretzkygirl44_at_yahoo.com: "Help! How do I see what OS management rights a Group has?"
- Next in thread: lforbes: "Re: Help! How do I see what OS management rights a Group has?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
