In a Windows Server 2008 R2 AD, is it possible to get a list of OUs managed by a User from the User object or does one needs to parse the list of OUs?
(ie, is there representation on the User object of OU management or is it only a var on the OU)
SnapOverflow
You cannot see the OUs that a particular user has access to from the actual User object in AD. You can however use a powerful tool in PowerShell called DSACLS. You'd run PowerShell as admin and then use this command:
dsacls "ou=nameofou,dc=domainname,dc=com"
replacing nameofou and domainname with your desired OU and your AD Domain.
See the section under DSACLS here for more help: http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx
No, the user account/object does not contain an attribute for ~"things this object can manage."
Permissions are handled by ACLs/ACEs (Access Control Lists/Access Control Entries) on the objects themselves, which define what other objects have permissions to do what to with the object holding the ACL.
To figure out what all OUs a given user has permission to manage, the approach is a script that scans through all your OUs and returns those on which the target user has the permissions you're curious about (and, to be thorough, groups that your user is a member of).
It looks like there's a PowerShell script from Ashley McGlone that does most of what you need and gives you a shiny csv or Excel file out. You could, of course, do the same thing within the PowerShell console, filtering the results against the user you're interested in, and changing the formatting and attributes returned, but (no offense) that seems a litle advanced for you, and I'm a wee bit slammed at the moment, so I'm not gonna punch on up for you, but it would be a relatively simple one-liner with the
Get-Aclcmdlet at its core.