Hi again. As I had mentioned, we were in the midst of a thorough review of our Active Directory, and are looking at everything, from DC security to auditing to delegated access in our Active Directory.

We natively delegate administration in Active Directory, and in fact having been doing so for a few years now. The problem is that in the last two/three years. we've had some administrative churn, and so have had to make a fairly non-trivial set of changes to delegated rights in our Active Directory.

The problem is that we now don't really know who is delegated what access, and that's a huge problem. For political reasons, its a little difficult to discuss internally, because the notion is that everyone is trusted internally. All that's good, but then why delegate if everyone's supposed to have equal access. Anyways, I seem to be meandering here.

Getting back to the point, I'd like to know if there is a way to efficiently find out just how might be delegated what access in the Active Directory? We're not even sure where to actually start from, given how complicated it is, especially with inheritance and nested groups and so many different kinds of permissions, not all of which seem to apply half the time anyway.

As always, all helpful pointers and guidance are much appreciated. Thanks.