news
Oracle Linux 8.3 template is now available

Permissions Delegation in Active Directory

OL
Oleg Lalaev
July 1, 2021

In large organizations, there are several teams of IT administrators and help desk specialists, in this case delegation is needed. For example, help desk specialists or team leaders may reset passwords, system administrators may change group memberships, and only IT architects admins may manage OUs. This separation of duties is really helpful for operations and security.

To perform delegation of control you need Domain Admins permissions or have full control on the OUs you want to delegate control over. You can do that several ways: via ADUC, command prompt and others.

Delegation via ADUC

In order to delegate control via Active Directory Users and Computers (dsa.msc). Follow these:

Run dsa.msc. Rightclick the needed OU, and select Delegate control...

The Delegation of Control Wizard appears where you need to click “Next”. Then click “Add...” choose to whom you want to delegate control and click Next

On the Tasks to Delegate window, select the tasks you want to delegate, you can also Create a custom task from scratch.

Click Next and Finish.

Delegation permissions can be viewed in OU’s properties on the Security tab.

Delegation via the Command Line

For permissions delegation Microsoft developed dsacls.exe. It is good for scripted deployments. It is also good for displaying current permissions. You can use /a parameter to display all permissions for the OU, for example:

dsacls.exe "OU=Employees,DC=office,dc=local" /a

Here we can see KJenkins permissions which we’ve delegated in our previous example.

In order to add new delegated privileges for an account we need to assign to it permissions according to certain syntax. Syntax consists of basic permissions and Advanced, here is the list of basic permissions:

  • GR - Generic read
  • GE - Generic execute
  • GW - Generic write
  • GA - Generic full control

The most popular advanced permissions:

  • SD - Delete
  • DT - Delete an object and all child objects
  • RC - Read security information
  • WD - Change security information
  • WO - Change owner information
  • CC - Create child object
  • DC - Delete child object
  • RP - Read property
  • WP - Write property

Lets delegate to our user KJenkins Delete permissions to Employees OU:

dsacls.exe "OU=Employees,DC=office,DC=local"  /G OFFICE\KJenkins:SD;

Delegation via the built-in groups

By default, there are built-in groups, such as Account Operators and Server Operators which has administrative tasks in Active Directory.

You can place any user to these groups and get additional permissions in domain without the need to grant full control access. But be warned that built-in Account Operators group provides more permissions than are actually required. They can create, modify, and delete all objects, except members of the Domain Admins group, in all OUs except the Domain Controllers OU.

Best Practices for OU Rights Delegation

  • Build a delegation control matrix to document all access rights to your AD
  • Always use groups when delegating permissions, don’t use individual user accounts. It will be easier and more secure for you to grant delegation access
  • Avoid deny permissions because they take precedence over allowed ones and this can make your access lists too complex to manage.
  • Try to test the delegation settings for any unwanted effects.
Start Your Cloud Journey Migration made simplified. Take the first step right now.
We use cookies to provide our services and for analytics and marketing. To find out more about our use of cookies, please see our Privacy Policy. By continuing to browse our website, you agree to our use of cookies.