Active Directory rights delegation – overview

 

Very often administrators ask, how to grant other users from IT department some specific rights in Active Directory without giving them to much permissions.

Microsoft allows us to do that in few ways, using:

  • default built-in groups
  • Active Directory Delegation wizard
  • ACL of Active Directory objects

The last option may be done over:

  • Active Directory Users and Computers console
  • ADSI Edit console
  • DSACLS coomand-line tool (out of scope in this article)

The first method is very simple for some predefined tasks but it also grants users much more permissions than they sometimes need. So, the proper method in this case is granting users rights over AD Delegation wizard or other mentioned method above. This way also allows us to more granular permissions assignment.

Some tasks cannot be predefined using mentioned methods but we can do that modifying appropriate policies in Group Policy Object (GPO).

Note! I can see very often that administrators add users into “Domain Admins” group to grant them necessary privileges. This is the most simple way but for sure not the proper one! I know, delegating rights require some administrative effort but it’s really worth implementing. After delegation rights implementation, you can be sure that no one would destroy accidentally your environment. Give it a try!

Active Directory Delegation wizard

This wizard is available when you open Active Directory Users and Computers console and select Organizational Unit (OU) or domain on which you want to start delegating privileges. Click right mouse button and choose “Delegate Controll…” option. You should see a wizard

Delegation Control wizard

Follow with the wizard and choose desired options. At the first screen, you will be prompted for user or group to which you want to grant permissions.

Selecting user or group to grant permissions

Note! It is good practice to not add users directly in Delegation Control wizard. Instead of adding them directly, please create dedicated group and grant permission to it. Put each user who requires permissions into that group.

Defined group for task delegation

as you can see on above screen, I have used domain local group named dlg-reset-user-password. Its name tells, what is the purpose of it. In this case I will grant reset users password permission in a domain to that group.

Note! I would strongly recommend naming groups the way you can simply evaluate what is its function (use also description field to put more detailed information about the group).

Next step of delegating permissions

Now, you need to select appropriate permissions which will be assigned to specified group. You can use one of predefined roles from the list or select more granular permissions.
To use one of predefined roles, select a checkbox next to it (you can select more than one) and go to the next step to finish the action.

Selecting delegated task for group of users

In case that you want to create a custom task to delegate, choose the second option and click “Next” button

Custom task to delegate

choose “Only the following objects in this folder” option and select appropriate object(s) from the list

Custom task delegation – next step

Now, you need to select granular permissions to assign. Before you will do that tick also “Property-specific” option to have more attributes.

Selecting more attributes

From the list, choose:

  • Reset password
  • Read lockoutTime
  • Write lockoutTime
  • Read pwdLastSet
  • Write pwdLastSet

and click “Next” button

Assigning permissions

and finish the action. Now, you have delegated users password reset to specified group

Rights delegated

To verify if rights are delegated, you need to check ACL of a location on which  you have done this action. If you want to see ACL (Security tab) on that location, you need to enable “Advanced Fetures” option in ADUC console

Advanced Features option in ADUC

After that, you can simply check if task delegation has been finished successfully. Click right mouse button on a domain or OU (depends where you have done delegation) and choose “Properties. Under the “Security” tab verify if you can see group to which you assigned permissions

Veryfing delegated permissions

Veryfing delegated permissions

Veryfing delegated permissions

That’s all about this method. Now let’s see another way.

ACL of Active Directory objects

As you saw in the previous part of this post, I showed you how to delegate rights using Delegation Control wizard. This time you will see how to do that using ACL (Security tab).

Open Active Directory Users and Computers console (make sure that “Advanced Feature” option in “View” menu is sel ected) and go to an OU or domain to which you want to grant permissions. Click right mouse button and choose “Properties“. Go to “Security” tab

Delegating rights over ACL

Delegating rights over ACL

click “Advanced button and group to which you want to assign permissions

Delegating rights over ACL

Delegating rights over ACL

In “Permissions Entry” window from “Apply to” drop down list choose “This object and all descendand objects” and select “Create computer objects

Delegating rights over ACL

That’s all in this method. The next option you can use is granting privileges over ACL using ADSIEdit

ADSI Edit

In Windows Server 2003 to be able to use ADSIEdit you need to install “Support Tools” from the first CD. On Windows Server 2008/2008R2 it is automatically available on each Domain Controller.

Note! Be careful! ADSIEdit is powerful tool and you can destroy your domain environment. Do not choose any other option, you do not know. First, check that in test environment.

Some options/attributes are unavailable in “Security” tab over ADUC console then we can set up them using this tool. Log on to Domain Controller or other domain member server on which you have available ADSIEdit and run it.

Running ADSIEdit console

within ADSIEdit connect to “Default naming context”

Choosing context in ADSIEdit

Choosing context in ADSIEdit

All other steps are the same as in the previous method (ADUC console).

That’s all in this overview article.

Next part >>>

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

7 responses to “Active Directory rights delegation – overview”

  1. Awinish says :

    Nice article Krzysztof Pytko.

     
  2. Mcosy says :

    HI,

    I just follow your post but the user can not reset account or password ( grayed out) My DC is 2008 R2 and user was account operator group before .

    1. Create dlg-it
    2. Create gg-it ( Add dlg-it -Member of)
    3. Create role-HElpdesk ( Add dlg-it) and user1 to memebers.
    4. Dellegate to IT User OU but i cannot reset or change anything in this ou?

    Thanks,

    AS

     
  3. Anbarasu says :

    Hi,

    I used the same method for delegating access to group of users, but the group of users were not able to modify user group (like adding to additional group) .Should this delegated user group assigned with specific set of permissions , if so which permission i need to select.

    Thanks in advance

     
    • iSiek says :

      Hi,

      what have you set up during control delegation? Have you consifured it on OU where those groups are located ?

      Thank you in advance for more details

      Regards,
      Krzysztof

       

Leave a Reply

Your email address will not be published. Required fields are marked *