Delegate permission for Objects and Users

  sd_mp_group_obj_administration (TEST\sd_mp_group_obj_administration)

They have the following permissions:
Read Members
Write Members

For the following object types:  Group

test.net/TESTComputers/MP

The groups, users, or computers to which you have given control are:

sd_mp_user_obj_administration (TEST\sd_mp_user_obj_administration)

They have the following permissions:
Read All Properties
Write All Properties
Read and write account restrictions
Validated write to DNS host name
Validated write to service principal name

list contents, read permissions, all validated writes

For the following object types: Computer

http://morgansimonsen.wordpress.com/2013/12/17/delegating-computer-object-management-tasks/

http://technet.microsoft.com/en-in/library/cc756898%28v=ws.10%29.aspx
http://www.windowsecurity.com/articles-tutorials/windows_os_security/verifying-active-directory-delegation-accurate.html
http://msdn.microsoft.com/en-us/library/ms676913%28v=vs.85%29.aspx

Advertisements

Active Directory Audit users and generate report

Run the following commands in Server 2008  Command prompt

Generate list (csv file output) for active users in AD

csvde -d “ou=Users,DC=ABC,DC=net” -r “(&(objectCategory=person)(objectClass=user)(|(useraccountcontrol=512)(useraccountcontrol=66048)))” -L “sAMAccountName,givenName,sn,description,whenCreated” -f report_sno1.csv

Generate list from Domain Controller containing new user accounts added during the audit period (details : user name in the system, employee name and granted date and time)

csvde -d “ou=Users,DC=ABC,DC=net” -r “(&(objectCategory=person)(objectClass=user)(|(useraccountcontrol=512)(useraccountcontrol=66048))(&(whenCreated>=20130701000000.0Z)(whenCreated<=20131031000000.0Z)))” -L “sAMAccountName,givenName,sn,description,whenCreated” -f report_sno2.csv

Generate list from Domain Controller containing user accounts revoked during the audit period

csvde -d “ou=Users,DC=ABC,DC=net” -r “(&(objectCategory=person)(objectClass=user)(|(useraccountcontrol=514)(useraccountcontrol=66050))(&(whenChanged>=20130701000000.0Z)(whenChanged<=20131031000000.0Z)(whenCreated<=20131031000000.0Z)))” -L “sAMAccountName,givenName,sn,description,whenChanged” -f report_sno3.csv