Post

Active Directory Delegations [Overview]

Posted Updated
By
2 min read

Delegation is a process of transferring authority, especially in large and complex Active Directory environments. This process allows people who manage a system to give teams below them the authority to perform certain tasks. This way, administrative tasks can be performed more quickly and efficiently. For example, people working on the user help desk team can gain the authority to manage user accounts. *** For security reasons, I recommend that you be very careful when granting these permissions.

#Informations

- Granted permissions are valid only for the selected OU and Tree.
- You can remove and edit permissions from the Security tab.
The field shown in Picture is important. Checking the checkboxes gives the authorized user/group the [right] to create and delete the selected object subgroup.
##Frequently used Delegations
####################################

Authorization to create and delete users or groups

OU > delegate control > create & delete & manage user account ve create & delete & manage and force next logon and groups

User account password reset authorization

OU > delegate control > Reset User Passwords and Force Password Change at Next Logon

User account Lock/Unlock authorization

OU > delegate control > Create a custom task to delegate > Select: User objects > Property-specific > Read check lockoutTime and Write lockoutTime boxes

Authorization User account enable/disable

OU > delegate control > Create a custom task to delegate > Select: User objects > General & Property-specific > Read userAccountControl & Write userAccountControl

Authorization to add & remove clients to domain 

OU > delegate control > Create a custom task to delegate > Select Computer objects > Create selected objects in this folder and Delete selected objects in this folder checkbox > General and Creation/Deletion of specific child objects > Create All Child Objects and Delete All Child Objects

Authorization to create and delete new OU and subtree

OU > delegate control > Create a custom task to delegate > create and delete selected > Organizational Unit objects > General > create & delete child objects

Attribute Editing Authorization

OU > delegate control > Create a custom task to delegate > Only the following objects in the folder > User objects > Uncheck General, Only check Property-specific > check Attribute Name

Authorization to Rename Computers

OU> delegate control > Create a custom task to delegate > Computer objects > > General & Property-specific > Checkbox Write All Properties

##TheGuler0x

Yararlı Olması Dileğiyle. – Hope it will be useful.
Active Directory
This post is licensed under CC BY 4.0 by the author.