How To Find Assigned Permissions in AD

In this post we will look at how to find where a user or group have been assigned permissions in the AD.

For this task we will use the Find Assigned Trustee option in NetTools, which will allow us to search the entire domain or a specific OU structure and report on any permissions that are assigned to the specified user or group.  As this will search every object in the AD, it's best to run this on a server or workstation that is on the same network segment as the Domain Controller, or on the Domain Controller itself.

First we need to find the user or group we are interested in, in the Quick Search box enter the name of the user or group and click the search button.  In this case we are searching for the user called greynolds.

Quick Search

The results of the search will be displayed in the User Search option, right click on the correct user or group from the list, and select Use With -> Find Trustee from the context menu.

Select Find Trustee menu option

NetTools will switch to the Find Trustee Assignment option and start searching for selected user or group in AD.  Depending on the size of your AD this might take a while as it will read the permissions of every object in the domain context.  Once the search is complete all the objects that user or group have been assigned direct permissions will be displayed.

Find Trustee Assignments

By clicking on one of the objects listed in the left results pane you can view the permissions that have been assigned to the user or group.

It's also worth completing a search of the Configuration partition in case permissions have been assigned there as well.  This can be done by changing the Context field to Configuration NC and pressing Go.