Saturday, October 15, 2011

command line to use acldiag.exe/How to take a report on Active Directory (AD) delegation permissions per OU/Site/Group/object.

   Microsoft provides a free command line utility called acldiag.exe to by which we can generate a report like log based on the permissions and delegation assigned to Ou's/groups/objects in active directory.

  we ca even give input from a text file if you need to take report on multiple Ou's. The text file must contains Ou names.

   let's see that ...

here we will see an example code to take permission report for multiple Ou's in a domain. the names of the OU's will be given to batch file through a text file.

Download support tools from and install it in your computer.

for /f %%a in (c:\users\delphin\desktop\list.txt) do (
acldiag "ou=%%a,dc=domain,dc=com" >>c:\users\delphin\desktop\log.txt

Copy the above code and paste it into a notepad file, replace "domain" with your domain name, replace "c:\users\delphin\desktop\list.txt" with the text file containing the list of OUs in your domain.

Replace "c:\users\delphin\desktop\log.txt" with the location where you want the log file to be saved. And rename it to adreport.bat.

The file list.txt must contain the list of the name of the OU's, as one OU name in a line.

The log.txt will contain the details as in the following screenshot.

Hope this helps..


Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Coupons