AD is often touted for its flexible delegation of administration feature. For a particular security principal, you can restrict access all the way down to the attribute level. Microsoft provides a Delegation of Control Wizard that can walk you through the process of delegating administration for certain types of tasks. You can also use the ACL editor to tweak ACLs even further.
Although it’s easy to delegate access to a particular account, it hasn’t been so easy to undelegate the access–that is, until now. Microsoft recently created a tool called Dsrevoke that lets you iterate over the contents of an OU and remove all access control entries (ACEs) that contain a specific security principal. So, for example, if you created a complex delegation for a group called Help Desk, you can use Dsrevoke to go back and remove all the ACEs that contain the Help Desk security principal. That capability makes Dsrevoke a nice tool to have. So run, don’t walk, to your computer and download Dsrevoke (http://www.microsoft.com/downloads/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383).
With Dsrevoke, you can either search for (/report option) or delete (/remove option) the ACEs that have a particular security principal. To use Dsrevoke, you specify the /report or /remove option, then use the /root option to specify a root from which to start the search or delete operation. You end the command with the name of the security principal you want to search for or remove. For example, here’s a command that searches the Workstations OU for all ACEs that contain the Data Admins security principal:
dsrevoke /report /root:ou=workstations, dc=rallencorp,dc=com "RALLENCORPData Admins"
As Figure 3 shows, the Workstations OU has two ACEs that contain the Data Admins security principal. To delete these ACEs, you run the same command, except you replace /report with /remove:
dsrevoke /remove /root:ou=workstations, dc=rallencorp,dc=com "RALLENCORPData Admins"
You’ll get the same output as before, except you’ll be prompted about whether you want to delete the ACEs.
One limitation you need to be aware of is that Dsrevoke works only against OUs or a domain root. It won’t work against containers such as the default Computers (cn=Computers) or Users (cn=Users) containers.
AdRestore
Ever wonder what happens to an object in AD when you delete it? When you delete an object, it doesn’t disappear completely. Instead, the object becomes a tombstone. After 60 days (the default tombstone lifetime period), the tombstone is permanently deleted.
Before the release of Windows 2003, there was no method for bringing tombstones back to life. Now, you can at least partially restore deleted objects–and Sysinternals’ AdRestore utility (http://www.sysinternals.com/ntw2k/source/misc.shtml) makes it a snap.
To enumerate all current deleted objects in the current domain, you run AdRestore with no options:
adrestore
Figure 4 shows sample results from this command.
If you want to restore a tombstone, you use the -r option followed by the name of the object to restore. For example, the following command restores the John Billings user account:
adrestore -r "John Billings"
The output from this command will be similar to that in Figure 4, except you’ll be prompted about whether you want to restore the object. As I mentioned previously, AdRestore only partially restores the object. The tombstone doesn’t retain all the attributes of the original object. For details about the process behind restoring deleted objects, see theSecurity Administrator article “AD Tombstone Objects,” March 2004, InstantDoc ID 41576.
Comments are closed