Finding Delegated Permissions in Active Directory
Feb 14, 2023
AD Permission Delegation
Why delegate? AD permission delegation refers to the assigning of administrative controls over specified objects within the Active Directory structure to users or groups. This removes the burden of only having AD admins being able to perform these tasks. Delegation of permissions is necessary to help manage the ongoing operations of an organization.
Why shouldn’t you give Domain Admin privileges to all the users you want to perform common tasks like password resets or unlocking of accounts? This would provide these users with the abilities to perform those tasks but would introduce the risk for them to make unwanted or accidental changes that could result in misconfiguration or downtime. Increasing the number of users with full control over everything in the domain would create a huge security concern. Delegation is a much safer way to provide the permissions needed to perform common tasks without giving privileged access to the domain.
How are permissions delegated in AD? Permissions can be delegated with Active Directory Users and Computers (ADUC) management console. The delegation of control wizard can be launched by right clicking on an OU and selected delegate control from the top of the list. You can select the users or groups that you want to assign the permissions to and the permissions you wish to grant to them. See the following Microsoft article Delegating Administration by Using OU Objects for more information on delegation through OUs and delegation can also be done through PowerShell, see Microsoft Learn PowerShell script delegate OU permissions examples.
Find Delegated Permissions
How do you find who has what delegated permissions in AD? Over time permissions will be delegated and people will come and go or change roles in the organization. In order to figure out what is the current set of permissions to verify that they are correct you can open ADUC and right click to select properties. If the advanced features setting is checked, you can see the security tab and choose advanced to see the permission settings. You can also use PowerShell and various command line utilities to gather the permissions. Given that the delegated permissions can be set on OUs, security groups and individual user objects, this would be very time consuming to gather and analyze all that information.
Entitlement Explorer for Active Directory
Cygna’s Entitlement Explorer for Active Directory simplifies both the collection and reporting on all permissions including delegations. Entitlement Explorer allows you to browse to see current or historical permissions. You can also see where user or groups have rights in the environment. Security audit reports also allow you to report on who has specific rights such as the password reset entitlement. Please contact firstname.lastname@example.org for a discussion or demo to see how you can simplify your AD entitlements.