DSREVOKE.EXE

Dsrevoke is a command-line tool that can be used on domain controllers that are running Windows Server 2003 or Windows 2000 Server to report the existence of all permissions for a specific user or group on a set of OUs in a domain and optionally remove from the DACLs of a set of OUs all permissions specified for a particular user or group.

Dsrevoke complements the functionality provided by the Delegation of Control Wizard, which is used to delegate administrative authority, by providing the ability to revoke delegated administrative authority.

Supported Operating Systems

Windows 2000, Windows Server 2003, Windows XP

DSREVOKE runs on Windows 2000, Windows XP Professional and Windows Server 2003 domain members and controllers against Windows 2000 and Windows Server 2003 Active Directory domain controllers.

Type "DSREVOKE /?" (no quotes) from the CMD prompt of a Windows 2000, Windows XP or Windows 20003 computer that is a domain member or domain controller of an Active Directory forest being targeted by the DSREVOKE.EXE utility.

To maximize the benefits offered by Dsrevoke, follow these guidelines as much as possible when delegating administrative authority:

 Use roles to delegate administrative authority. When delegating roles, be sure to use a unique and specific security group to represent every unique and specific role instance.

 Use inheritance to grant permissions to the security group representing a role instance, and grant permissions on OUs.

Delegating administrative authority by using roles involves the following tasks:

1. Create a specific and unique security group to represent the role.

2. Identify the highest level OU that represents the root of the smallest subtree that contains the subset of all objects the delegated user needs to access and modify in order to perform the delegated tasks.

3. Run the Delegation of Control Wizard on that OU and delegate the required administrative tasks to the unique and specific security group representing the unique and specific role.

If you follow these delegation guidelines, you can use Dsrevoke to easily and reliably undelegate authority. Simply run Dsrevoke in the domain, providing as input the name of the specific security group used to represent the delegated role, and use the /report switch to verify the existence of all explicit permissions for that security group that have been set on all OU objects in the domain .

Once you have reviewed the reported permissions, you can use the /remove switch to revoke all permissions granted to that security group, thereby revoking the delegated authority.