I had already posted the recursive command for DSACLS to dump the full structure...
Here it goes again.. Put it in a batch file.... For /F "Tokens=1* Delims=*" %%A in ('dsquery ou -limit 0') do dsacls %%A > %%A.log This will recursive go to each OU and dump its permissions in logfile named by the OU. On 9/1/05, Sakari Kouti <[EMAIL PROTECTED]> wrote: > Hi Mark, > > When writing our book (Inside Active Directory), I wrote a script that dumps > all the ACEs of a domain to an Excel spreadsheet. > > The script has some fixed names and it's not "production quality" by any > means, but if you want, I can e-mail it to you. > > Or, if another person on the list asks, I can also put it on > http://www.kouti.com > > Yours, Sakari > > > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Mark Parris > Sent: Wednesday, August 31, 2005 9:08 PM > > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Active Directory Permissions > > > > > My preference is a tool that does it for me – but I will put together a > script now that I know there is not a tool to do it. > > > > Many thanks. > > > > Mark > > > ________________________________ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al > Mulnick > Sent: 31 August 2005 17:58 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Active Directory Permissions > > > > > when you run it, use a command file. > > > > > > dsacls ou1.... > > > dsacls ou2.... > > > dsacls ou3.... > > > > > > That of course would not get the sub OU's, but if they are relatively > static, it would be fast to put together and it would keep your output > fairly constant with what you have now. > > > > > > If not, you could root around on joeware.net and see if there is something > there (note: I could really use a t-shirt to help me remember about joeware > tools when I reply to these :) or you could write a script. You could even > use something like a script that gathers the OU and then shells to dsacls or > something that stays script only. The list goes on. > > > > > > Do you have a preference on the approach? > > > > > > Al > > > > ________________________________ > > > From: [EMAIL PROTECTED] on behalf of Mark > Parris > Sent: Wed 8/31/2005 1:28 PM > To: ActiveDir.org > Subject: Re: [ActiveDir] Active Directory Permissions > > > DSACLS, but it would be nice for the whole tree. > > Mark > -----Original Message----- > From: "Al Mulnick" <[EMAIL PROTECTED]> > Date: Tue, 30 Aug 2005 20:19:03 > To:<ActiveDir@mail.activedir.org> > Subject: RE: [ActiveDir] Active Directory Permissions > > What are you using now for that single OU? > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Mark Parris > Sent: Tuesday, August 30, 2005 7:21 AM > To: ActiveDir.org > Subject: [ActiveDir] Active Directory Permissions > > Hi, > > What utility can I use to list the entire OU structure for a Domain and > all permissions set on each OU? > > I can manage to do it for a single OU but not say set it to DC=X,DC=Y > and dump the whole structure. > > Regards > > Mark > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ -- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Fortune and Love befriend the bold" ~~~~~~~~~~~~~~~~~~~~~~~~~~~