Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


October 2004

Dsrevoke

Undoing the Delegation of Control Wizard
From the October 2004 Edition
of Windows IT Pro
Mark Minasi
Windows Power Tools
InstantDoc #43865
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

One of Active Directory's (AD's) greatest strengths, in comparison with Windows NT 4.0 domains, is delegation--the ability to create a user or a group with a finely defined set of powers. Under NT 4.0, users tend to be either all-powerful (e.g., members of the Domain Admins group) or fairly powerless (e.g., members of the Domain Users group). In contrast, AD lets you create "sub-administrators"--people who have administrative power, but not as much power as a domain administrator. AD also lets you give certain people complete control over only a domain subset (i.e., an organizational unit--OU). Best of all, with its Delegation of Control Wizard, Microsoft has simplified the fairly complex task of delegation.

However, for two reasons, AD delegation has never been perfect. First, although a wizard helps you perform delegation, you don't have one for undoing delegation. Removing a power that you've granted is complex, requiring that you drill down through several layers of security GUI. Second, AD doesn't offer a way to easily determine what delegations you've put in place.

With its nifty Dsrevoke command-line tool, Microsoft has simplified both the process of documenting and the process of undelegating existing delegations. You can find Dsrevoke at the Microsoft Download Center (http://www.microsoft.com/downloads).

Documenting
Dsrevoke can tell you exactly what permissions a given user or group has on a domain. In the command

dsrevoke /report <user-or-group-name>

you would use the format domainname\username or domainname\groupname for the user-or-group-name variable, where domainname is the domain's NetBIOS name. (I can't seem to make the DNS name work.) For example, suppose you're working in a domain named bigfirm.biz, with the NetBIOS name Bigfirm. To see the powers that a group called Test has on the local domain, you'd type

dsrevoke /report bigfirm\test

The resulting report won't provide a complete explanation of Test's powers in Bigfirm, but it will identify whether Test has any explicitly delegated powers in Bigfirm. However, the report won't show powers that Test has by virtue of being part of another group. If Test is part of a group called Bigtest, and Bigtest has some power, Test will inherit that power but the Dsrevoke report won't display it because the power isn't explicitly given to Test.

If you want to identify Test's powers in a different domain, you can use the /domain option to specify which domain to report on. This option takes either the NetBIOS or DNS name. If you need to provide Dsrevoke an administrative name and password for that domain, you can use the /username and /password options. For example, the command

dsrevoke /report "/domain:apex.com"
   /username:joeadmin /password:swordfish 
   bigfirm\test

would identify Test's powers on a domain called apex.com. The domain name is surrounded by quotation marks because the domain's DNS name includes a period; any special characters such as spaces and punctuation marks require quotes. This command also tells Dsrevoke to offer the user account name joeadmin and password swordfish, in the event that apex.com wants to know who's asking.

But domains can be large and can contain many OUs. You might not care about what delegated powers a group has except for its powers on a particular OU. To tell Dsrevoke not to search an entire domain but instead a particular OU in a domain, you would use the /root:ou option. You specify an OU in Lightweight Directory Access Protocol (LDAP) format.

Undelegating
To undo the work of the Delegation of Control Wizard, you can replace Dsrevoke's /report option with the /remove option. To remove all the Test group's powers over the Marketing OU in bigfirm.biz, you'd type

dsrevoke /remove "/root:ou=marketing,
dc=bigfirm,dc=biz" bigfirm\test

Dsrevoke will show you all the powers it found for Test in the Marketing OU, then ask "Do you want to remove the above listed ACEs?" Just press Y, and they're all gone. Unfortunately, you can't suppress this confirmation.

I would like to have seen Dsrevoke implemented as a GUI tool because of its potential power. Seeing Test's powers across the domain depicted graphically would have been convenient. However, in its current form, Dsrevoke is still a useful utility to add to your toolbox.

End of Article

Reader Comments
asdf

ShayaanF January 25, 2008 (Article Rating: )

Good read

awmaf January 14, 2009 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement