I had already posted the recursive command for DSACLS to dump the full
structure...
Here it goes again.. Put it in a batch file....
For /F "Tokens=1* Delims=*" %%A in ('dsquery ou -limit 0') do dsacls
%%A > %%A.log
This will recursive go to each OU and dump its permissions in logfile
named by the OU.
On 9/1/05, Sakari Kouti <[EMAIL PROTECTED]> wrote:
> Hi Mark,
>
> When writing our book (Inside Active Directory), I wrote a script that dumps
> all the ACEs of a domain to an Excel spreadsheet.
>
> The script has some fixed names and it's not "production quality" by any
> means, but if you want, I can e-mail it to you.
>
> Or, if another person on the list asks, I can also put it on
> http://www.kouti.com
>
> Yours, Sakari
>
>
>
> ________________________________
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Mark Parris
> Sent: Wednesday, August 31, 2005 9:08 PM
>
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory Permissions
>
>
>
>
> My preference is a tool that does it for me – but I will put together a
> script now that I know there is not a tool to do it.
>
>
>
> Many thanks.
>
>
>
> Mark
>
>
> ________________________________
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al
> Mulnick
> Sent: 31 August 2005 17:58
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory Permissions
>
>
>
>
> when you run it, use a command file.
>
>
>
>
>
> dsacls ou1....
>
>
> dsacls ou2....
>
>
> dsacls ou3....
>
>
>
>
>
> That of course would not get the sub OU's, but if they are relatively
> static, it would be fast to put together and it would keep your output
> fairly constant with what you have now.
>
>
>
>
>
> If not, you could root around on joeware.net and see if there is something
> there (note: I could really use a t-shirt to help me remember about joeware
> tools when I reply to these :) or you could write a script. You could even
> use something like a script that gathers the OU and then shells to dsacls or
> something that stays script only. The list goes on.
>
>
>
>
>
> Do you have a preference on the approach?
>
>
>
>
>
> Al
>
>
>
> ________________________________
>
>
> From: [EMAIL PROTECTED] on behalf of Mark
> Parris
> Sent: Wed 8/31/2005 1:28 PM
> To: ActiveDir.org
> Subject: Re: [ActiveDir] Active Directory Permissions
>
>
> DSACLS, but it would be nice for the whole tree.
>
> Mark
> -----Original Message-----
> From: "Al Mulnick" <[EMAIL PROTECTED]>
> Date: Tue, 30 Aug 2005 20:19:03
> To:<ActiveDir@mail.activedir.org>
> Subject: RE: [ActiveDir] Active Directory Permissions
>
> What are you using now for that single OU?
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Mark Parris
> Sent: Tuesday, August 30, 2005 7:21 AM
> To: ActiveDir.org
> Subject: [ActiveDir] Active Directory Permissions
>
> Hi,
>
> What utility can I use to list the entire OU structure for a Domain and
> all permissions set on each OU?
>
> I can manage to do it for a single OU but not say set it to DC=X,DC=Y
> and dump the whole structure.
>
> Regards
>
> Mark
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
--
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
