25.05.2023

Permissions Delegation in Active Directory

In large organizations, there are several teams of IT administrators and help desk specialists, in this case delegation is needed. For example, help desk specialists or team leaders may reset passwords, system administrators may change group memberships, and only IT architects admins may manage OUs. This separation of duties is really helpful for operations and security.

To perform delegation of control you need Domain Admins permissions or have full control on the OUs you want to delegate control over. You can do that several ways: via ADUC, command prompt and others.

Delegation via ADUC

In order to delegate control via Active Directory Users and Computers (dsa.msc). Follow these:

Run dsa.msc. Rightclick the needed OU, and select Delegate control...

The Delegation of Control Wizard appears where you need to click “Next”. Then click “Add...” choose to whom you want to delegate control and click Next

On the Tasks to Delegate window, select the tasks you want to delegate, you can also Create a custom task from scratch.

Click Next and Finish.

Delegation permissions can be viewed in OU’s properties on the Security tab.

Delegation via the Command Line

For permissions delegation Microsoft developed dsacls.exe. It is good for scripted deployments. It is also good for displaying current permissions. You can use /a parameter to display all permissions for the OU, for example:

dsacls.exe "OU=Employees,DC=office,dc=local" /a

Here we can see KJenkins permissions which we’ve delegated in our previous example.

In order to add new delegated privileges for an account we need to assign to it permissions according to certain syntax. Syntax consists of basic permissions and Advanced, here is the list of basic permissions:

The most popular advanced permissions:

Lets delegate to our user KJenkins Delete permissions to Employees OU:

dsacls.exe "OU=Employees,DC=office,DC=local"  /G OFFICE\KJenkins:SD;

Delegation via the built-in groups

By default, there are built-in groups, such as Account Operators and Server Operators which has administrative tasks in Active Directory.

You can place any user to these groups and get additional permissions in domain without the need to grant full control access. But be warned that built-in Account Operators group provides more permissions than are actually required. They can create, modify, and delete all objects, except members of the Domain Admins group, in all OUs except the Domain Controllers OU.

Best Practices for OU Rights Delegation