LDAP Query to get all OUs a given user has delegated rights to

Question

I'm not sure if this is possible, but I want to get the following sub OUs from a given OU in an AD via LDAP:

Get all OUs that can be managed (permission to set passwords, to edit users or groups or whatever) by the given user X.

To get OUs I can filter by (objectClass=organizationalUnit), but how do I filter by management rights, is there a way?

Answer 1

I don't think it's possible. The management rights are stored in the DACL in the nTSecurityDescriptor attribute. In order to perform access checks, you have to evaluate every ACE in the DACL because deny trumps allow. You also have to know every group that the user is a member of, which requires its own query to the tokenGroups attribute (or a logon token). I don't see how you could construct an LDAP query with the limited operators available that takes all of the complexities of ACL's into account.