A. Windows Server 2003 and Windows 2000 Server provide helpful wizards for delegating permissions to users in AD. However, no wizard lets you view existing delegations. To do so, you must manually view the security settings that have been applied on containers and objects.

Microsoft recently released a tool that makes it easier to view existing permissions delegations. You can download the tool--called Dsrevoke--at Microsoft Web site. Dsrevoke reports on the permissions for a domain and/or organizational units (OUs) and also lets you remove permissions. For example, the following sample Dsrevoke command checks for permissions on the HelpDesk group in the demo domain and specifies the Testing OU in the demo.test domain:

dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk

The command displays these onscreen messages:

ACE #1
Object: OU=testing,DC=demo,DC=test
Security Principal: DEMO\HelpDesk

Permissions:
READ PROPERTY
WRITE PROPERTY
ACE Type: ALLOW

ACE does not apply to this object
ACE inherited by all child objects of class User

ACE #2
Object: OU=testing,DC=demo,DC=test
Security Principal: DEMO\HelpDesk

Permissions:
EXTENDED ACCESS
ACE Type: ALLOW

ACE does not apply to this object
ACE inherited by all child objects of class User

# of ACEs for demo\helpdesk = 2

You can see in the output that the HelpDesk group has several access control entries (ACEs) for the Testing OU; however, the output information doesn't provide the exact permissions for the HelpDesk group. To determine this information, you must first enable the Advanced view in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Then, at the container's Properties page, select the Security tab and click the Advanced button. To view a group's permissions, select the Permissions tab, then select the group and click Edit, as the Figure shows. In this example, the HelpDesk group has permissions to reset passwords and to force a password change. Dsrevoke is most effective when delegation has been defined by using roles--that is, users are placed in a group, and the group is given permissions at a domain or OU level, instead of via individual objects.