Is there a way to print out who has what authority over an organizational unit (OU)?
The answer is Dsacls, which is part of the Windows 2000 Support Tools. Dsacls lets you modify or print the ACL of any object in Active Directory (AD). All you need to do is give Dsacls the AD path of the OU without any other parameters, and Dsacls will output the OU's ACLs to Stdout, which you can redirect to a file. For example, if you type
Dsacls will display the ACL for the New York\Marketing OU in the acme.com domain, which Web Figure 1 (http://www.secadministrator.com, InstantDoc ID 25733) shows. The Dsacls output is quite verbose and comprises two main sections. Dsacls first lists effective permissions for the object, then lists all permissions that are propagated to subobjects.
Each access control entry (ACE) begins with either Allow or Deny, followed by the user or group, then the high-level permission, such as FULL CONTROL. If the user or group has been granted special low-level permissions, Dsacls lists each one. If a user or group inherited an ACE, you'll see