Hi Joe,

The answer to your question depends on whether you are trying to find out who has what permissions in your Active Directory (AD), or whether you are trying to find out who has what effective-permissions in your AD?

I say that because there is a very subtle yet very big difference between the two.

As you know, in any AD, there are thousands of permissions granted to many users, groups and well-known security principals. These permissions reside in the access control lists (ACLs) of AD objects, and many of them are there by default.

In addition, when we delegate access, we end up introducing more permissions in AD. For example, when we delegate authority, we typically delegate it on an OU, and as a result, a number of permissions get added in the ACL of all objects in that OU. However, depending on the delegation not all permissions may be applicable on every object.

Also, because permissions can be of different types (allow/deny), no single permission by itself controls/influences what a user/member of a group can do, but in fact, all permissions together control/influence what someone can do.

That is why there is a difference between finding/listing where all a group has permissions and trying to determine what access members of that group actually have.

If you are wanting to find out who can do what in your AD, then you need to determine what is called effective/resultant-access in Active Directory.

On the other hand, maybe you are just wanting to find out where all a group has permissions so that you can remove any explicit permissions granted to that group, in which case it is sufficient to perform a basic permissions search.

Performing a basic permissions search is easy, but determining resultant-access in AD is unfortunately substantially more difficult because AD's security model is quite complex.

Just remember the mantra Where all a user has permissions IS NOT EQUAL TO What all the user can actually do.

/Simone