Serverspace Black Friday
OL
July 1, 2021
Updated May 25, 2023

Permissions Delegation in Active Directory

AD Windows

In large organizations, there are several teams of IT administrators and help desk specialists, in this case delegation is needed. For example, help desk specialists or team leaders may reset passwords, system administrators may change group memberships, and only IT architects admins may manage OUs. This separation of duties is really helpful for operations and security.

To perform delegation of control you need Domain Admins permissions or have full control on the OUs you want to delegate control over. You can do that several ways: via ADUC, command prompt and others.

Delegation via ADUC

In order to delegate control via Active Directory Users and Computers (dsa.msc). Follow these:

Run dsa.msc. Rightclick the needed OU, and select Delegate control...

Active Directory Users and Computers (dsa.msc) | Serverspace

The Delegation of Control Wizard appears where you need to click “Next”. Then click “Add...” choose to whom you want to delegate control and click Next

On the Tasks to Delegate window, select the tasks you want to delegate, you can also Create a custom task from scratch.

Task to Delegate | Serverspace

Click Next and Finish.

Completing the Delegation of Control Wizard

Delegation permissions can be viewed in OU’s properties on the Security tab.

Delegation via the Command Line

For permissions delegation Microsoft developed dsacls.exe. It is good for scripted deployments. It is also good for displaying current permissions. You can use /a parameter to display all permissions for the OU, for example:

dsacls.exe "OU=Employees,DC=office,dc=local" /a

Delegation via the Command Line

Here we can see KJenkins permissions which we’ve delegated in our previous example.

In order to add new delegated privileges for an account we need to assign to it permissions according to certain syntax. Syntax consists of basic permissions and Advanced, here is the list of basic permissions:

  • GR - Generic read
  • GE - Generic execute
  • GW - Generic write
  • GA - Generic full control

The most popular advanced permissions:

  • SD - Delete
  • DT - Delete an object and all child objects
  • RC - Read security information
  • WD - Change security information
  • WO - Change owner information
  • CC - Create child object
  • DC - Delete child object
  • RP - Read property
  • WP - Write property

Lets delegate to our user KJenkins Delete permissions to Employees OU:

dsacls.exe "OU=Employees,DC=office,DC=local"  /G OFFICE\KJenkins:SD;

Delegation via the built-in groups

By default, there are built-in groups, such as Account Operators and Server Operators which has administrative tasks in Active Directory.

You can place any user to these groups and get additional permissions in domain without the need to grant full control access. But be warned that built-in Account Operators group provides more permissions than are actually required. They can create, modify, and delete all objects, except members of the Domain Admins group, in all OUs except the Domain Controllers OU.

Best Practices for OU Rights Delegation

  • Build a delegation control matrix to document all access rights to your AD
  • Always use groups when delegating permissions, don’t use individual user accounts. It will be easier and more secure for you to grant delegation access
  • Avoid deny permissions because they take precedence over allowed ones and this can make your access lists too complex to manage.
  • Try to test the delegation settings for any unwanted effects.

Vote:
5 out of 5
Аverage rating : 5
Rated by: 1
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.