List user rights in Windows 2003

Hi all,

I have 2 questions: 

(1) I want to know the entire rights that a particular user has in Active Directory. Is there a way to list all the rights assigned to a particular user in Active Directory?

(2) What is the ROOT object of Exchange (2003) ? Is it OU (Organization Unit)? 

I'm having problem REMOVING one particular user's rights from Exchange objects. The rights given to this user is inherited from parent, but the problem is I could not trace what is the parent. I don't undestand well the structure of Exchange objects.

I think to solve my problem I need to find the ROOT of Exchange Objects and remove the user rights from there. I  want to maintain the inheritance behaviour, that's why I have to remove the rights asigned from the ROOT object of Exchange instead of tweaking the inheritance nature in the child object itself. Fyi, I've removed that particular user's rights from the OU, but when I checked the child objects (like Exchange mailboxes)  the user's rights is still "inherited" in the child objects.

Thanks for your help.

Regards,

J.W.

Preference is from GUI, but if it cannot be done, then programmatically also ok lor..

thanks ya

1. Exchange mailbox permissions are stored in 2 location: Active Directory and Exchange databases. However, you can access both kinds of permissions using Active Directory User and Management MMC that you install from Exchange CD.

You can also use tools like dsacls or adfind to list who have access to particular object. However, the output of these tools may be too much for you to go through. You might need to use "find" command to filter out the output.

You can use a combination of dsquery and dsacls /r to list all mailbox and revoke the access rights. You can refer to following document for syntax of dsacls: http://go.microsoft.com/fwlink/?LinkId=61158.

You can also refer to following KB article on how to programmatically modify access rights to mailbox: http://support.microsoft.com/kb/310866/.

2.The root where Exchange object inherit it permission from depend on each organization's implementation. The permission for AD related object can be inherited from domain level or organisational unit level.

The best practice for delegating administrative permission to manage Active Directory objects or Exchange related mailbox object is to delegate the permission to a group. You can then add all the user who need specific permission to these groups and remove it when the user no longer need these rights. This will help prevent the problem of having to scan throught the entire AD to verify which object a particular user have access rights when you want to revoke the permission.

Thanks for the help.

 I found the solution to my problem. It was the "delegate control" at the OU level. I used Exchange System Manager to remove the user (select the ROOT, right-click, choose Delegate Control), and problem solved.