Dsrevoke is a command-line tool that can be used to identify the location of all permissions that may be specified for a specific user or group in a domain. It can also be used to remove all permissions specified for a particular user or group on OU objects as long as they are explicit in nature.

It is was primarily provided by Microsoft to complement the functionality provided by Microsoft's Delegation of Control Wizard, which can be accessed from the Microsoft Active Directory Users and Computers (ADU&C) Snap-in and which is used to delegate administrative authority.

dsrevoke complements ADU&C by providing the ability to revoke delegated administrative authority.

+ Pros: Free, Can be used to find out where all a user or group has permissions specified in AD OUs

- Cons: Severely limited in its ability to find out where else a user/group has permissions, and/or identify where all a user/group has what type of permissions

Download Point: dsrevoke can be downloaded from here.

Tip: Although dsrevoke can be used to view Active Directory inherited/delegated permissions, if you're looking to do any kind of serious permissions analysis, checkout Microsoft's acldiag tool.

No comments:

Post a Comment