Monday, 11 August 2014

Active Directory (AD) delegation is certainly one of the most critical aspects of any organizations' IT infrastructure. By delegating administration, you as administrator grant users or groups only the permissions they necessitate without adding users to privileged groups (e.g., Account Operators, Domain Admins). In fact, one cannot ignore the fact that Active Directory delegation helps in optimizing the productivity of the IT department by facilitating non-administrative users conduct definite administrative activities in Active Directory. In fact, it helps in enhancing the safety of the environment or even decentralizes Active Directory administration. The simplest way to accomplish delegation is by using the Delegation of Control Wizard in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 

The delegation of rights on organizational unit (OU) containers of objects (and by extension to all of the objects in that OU) is an extremely powerful method of granting the suitable rights to execute explicit operations to specific individuals or groups. Presuming that delegation has been done through the Delegation Wizard, if you wish to inspect the permissions granted on the higher level container could help you view and find out the users/groups that have granted permissions to operate on that container and any object contained within it. 

Now to view the delegate permissions and determine which users have got rights on a specific object in Active Directory, you need to follow the steps mentioned below: 

  1. First of all, open the Active Directory console
  2. Navigate down to the desired object and right click on it, then select Properties
  3.  From the object's Properties dialog, choose the Security tab
  4. Click on Advanced tab, and then select the Permissions tab
  5. Double-click on any object you desire or  want to inspect and view the full list of permissions specified for that object
Determining the entire set of all user rights on all objects in Active Directory can also be done by using automation to recover the list of all users, groups, and nested groups and their specified attributes and ACLs on objects within Active Directory. After this, you could very well filter the list on whatsoever selection criteria you prefer.

 Limitation of Manual Approach

Delegation of administration is certainly an impressive way of referring to establishing access control lists on organizational units and accounts in Active Directory, but at the same time it has its own limitation. In fact, the key drawback of the native Active Directory delegation model is the shortage of the ability to grant user access based on the job function.

Adding to that, in order to provide the permissions it gets essential for administrators manually assign numerous sets of various rights across a large set of objects in Active Directory. Adding to that, situations do arise where it gets nearly impossible to withdraw all unnecessary privileges from the users whose responsibilities have changed. Such an approach allows much room for errors.


So while delegation is unquestionably very beneficial, it’s also turns out to be a quick way to clutter up directory permissions, make auditing a bit difficult, and make overall permissions management a real time-consuming procedure. But at the end of the day, the Delegation of Control Wizard facilitates you with one such facility where you don’t have to search for all of the permissions essential to handle whatever task you are delegating. The Wizard helps in ensuring that permission inheritance gets set appropriately, so that things like sub-organizational units can be included in delegation, if desired.


Post a Comment