In this post we will look at how to find where a user or group have been assigned permissions in the AD, this is based on NetTools v1.30.8 or later. For details using NetTools v1.30.7 or earlier see this post.
For this task we will use the AD Permissions Reporter option in NetTools, which will allow us to search the entire domain or a specific OU structure and report on any permissions that are assigned to the specified user or group. As this will search every object in the AD, it's best to run this on a server or workstation that is on the same network segment as the Domain Controller, or on the Domain Controller itself.
First we need to find the user or group we are interested in, in the Quick Search box enter the name of the user or group and click the search button. In this case we are searching for the user called greynolds.
The results of the search will be displayed in the User Search option, right click on the correct user or group from the list, and select Use With -> AD Permissions Reporter from the context menu.
NetTools will switch to the AD Permissions Reporter option and start searching for selected user or group in AD. Depending on the size of your AD this might take a while as it will read the permissions of every object in the domain context. Once the search is complete all the objects that user or group have been assigned direct permissions will be displayed.
By clicking on one of the objects listed in the left results pane you can view the permissions that have been assigned to the user or group.
It's also worth completing a search of the Configuration partition in case permissions have been assigned there as well. This can be done by changing the Context field to Configuration NC and pressing Go.