dsacls

DsAcls is a free command-line utility provided by Microsoft that can be used to view and change security permissions on Active Directory objects.

dsacls

For all practical purposes, it is the command-line equivalent of the Security tab in the Properties dialog box for an Active Directory object in Active Directory tools, such as Active Directory Users and Computers.

It can be used to view the DACL of any Active Directory object. It can also be used to add a new permission or remove an existing permission from an Active Directory object. dsacls is a very useful tool because it can also be manage Active Directory security permissions from a command-line.

One of the capabilities of dsacls is the ability to view effective permissions in Active Directory. AD effective permissions are very important for Active Directory security, because they help determine who actually has what delegated access rights on important Active Directory objects.

However, I have found that it is unable to accurately determine AD effective permissions which unfortunately makes it difficult to rely upon. Upon some research I found that Active Directory Effective Permissions display incorrect information and are thus cannot be relied upon.


+ Pros: Free, Can be used to view and modify the security permissions on a single Active Directory object

- Cons: Cannot be used to identify where all a user/group might have permissions in Active Directory, plus its effective permissions capability yields incorrect results.

Download Point: dsacls can be downloaded from here.

Summary: dsacls is a powerful command-line tool that can help view and dump/export Active Directory permissions/ACLs. It is free however, and supported by Microsoft. Once you know how to use it well, it can also be used to analyze Active Directory permissions, although not as well as one could with a professional-grade Active Directory Permissions Analyzer.

Standard Microsoft Active Directory Management Tools (Active Directory Users and Computers)

Microsoft Windows Server ships with a standard set of Microsoft Management Console (MMC) Snap-Ins that can be used to manage various aspects of Active Directory, including managing your OU hierarchy, implement your delegation model, and create, modify and manage the life-cycle of user accounts and security groups.

  

Active Directory Users and Computers

There are four MMC Snap-Ins that can help you manage various aspects of AD -

1. Active Directory Users and Computers Snap-In - This MMC snap-in, also know as ADU&C is the main tool used to create and manage your Active Directory hierarchy, create and delete OUs and Containers, and create and manager user accounts, security groups and other IT resources.
2.  Active Directory Domains and Trusts Snap-In - This snap-in is used to establish, configure and manage trust relationships between various domains and forests. You can use it to create short-cut trust relationships, external trust relationships, and cross-forest trust-relationships as well.
3.  Active Directory Sites and Services Snap-In - This snap--in is used to define, configure and maintain Active Directory sites, subnets, site-to-subnet mappings and perform other tasks related to site and subnet management.
4.  ADSIEdit.msc - This is a special and very handy snap-in that can be used to access and edit all attributes of all objects in Active Directory. It is particularly helpful if you wish to make modification to uncommon attributes, and or create a new object of any of the classes defined in the Schema.

If you're an IT administrator responsible for AD management, then you probably already know about the common set of administrative tools that ship with Windows Server, but nonetheless, thought of mentioning them here for anyone starting out in AD administration.

+ Pros: Free, Come with Windows, Can be used for AD management, Good for Basic Search and Reporting

- Cons: Very limited in their ability to generate advanced and/or custom management and security reports

# Download Point: To install these tools, you need to download and install the Windows Server 2003 Administration Tools Pack, which I believe can be found here.