Re: Export security on objects in AD

I thought I saw this posted elsewhere. Did you post it somewhere else and get this resolved ?

Re: Export security on objects in AD

Hmm no I don't think so but I would be very happy if there was a way to do this.

Re: Export security on objects in AD

Let me know what the problem is resetting user passwords and how they are going about it (the steps involved). You can get a listing of permissions for any object in Hyena by right clicking on the object (or multiple objects in the right window) and selecting "List Directory Security". For users, this option is on the "Account Functions" menu. There is an AD security right for reset passwords. Note that you can also see this right on OUs as well, if it was set to propogate to child objects (users, etc.)

Re: Export security on objects in AD

The problem is that my helpdesk used to be "domain admins" but now they're only account operators. On some of the user objects in the AD "account operators" are not on the "security" tab. But also the objects don't enherit security from above settings.

So this means my helpdesk can't unlock some user accounts as they get access denied. So I would like to search for all those objects where "account operators" are not listed in on the security tab.

Right now a domain admin will manually add the account operators to the user object when we have this "problem".

I didn't know about the "list directory security". Is it possible to do an export on all objects not having "account operators" on the security list?

Re: Export security on objects in AD

There isn't any way to export this list using our export tool (Exporter Pro), but you can get the security listing for any number of objects and then export this to a file (Edit->Select All, Edit->Copy). But the resulting list will show what settings are present, not which ones are absent. For that, you would have to run an MSAccess query against a full list of accounts vs the access and show which ones have the missing security setting.