How to find out who is delegated what access in our Active Directory?
Hi,
I have been tasked with finding out and documenting who is delegated what access in our Active Directory and I would like some help with this as I've hit a wall trying to do this.
We have an Active Directory of about 5000 users, and we're spread across a few cities. While I just joined the group, over the last few years, quite a few folks have been delegated access on different OUs, primarily to be able to provide local IT support, and some for basic helpdesk stuff (password reset assitance etc.)
The thing is that with 5000 users, and about as many computers and groups, this is just such a difficult problem for us to solve. I mean first I thought it was simply a matter of finding out who has what permissions in Active Directory, but it turns out that that is just scratching the surface of the problem, because there are SO MANY permissions and they all seem to somehow work together on each individual object.
I mean I read somewhere that I'm supposed to evaluate resultant-set-of-permissions just like resultant-set-of-policies, but I have no idea how to do so. I tried the Effective Permissions Tab but that seems to be hopelessly useless as well.
There must surely be some way to do this in an easier fashion that I'm just completely missing out on. I've order a book on the subject, but I mean this could take me months to do, and we neither have the resources nor the time to do so.
I am sure that others on this forum would have surely encountered this or a similar challenge, so I would be very interested to hear how you took care of this requirement. This is quite important for us, so all pointers are welcome.
