Active Directory rights delegation – part 2

Post migrated to:


7 responses to “Active Directory rights delegation – part 2”

  1. George says :

    Hi Krzysztof,

    I enjoyed reading your post that clearly shows how to implement the concept of a delegating roles based tasks in Active Directory. I’ve always been a fan of delegating administration, because it helps reduce the number of Domain Admins, and that’s a good thing for security.

    The only challenge I have found is that once I have delegated roles/tasks, I find it very difficult to then go back and look at all the permissions in Active Directory and try to list who is delegated what access in the Active Directory.

    I recently came across a rather interesting discussion How to find out who is delegated what access in Active Directory and have been following it to see if there is any easy of doing the opposite of delegation i.e. finding out who is delegated what.

    You seem pretty experienced in delegation, so maybe you can share some thoughts on how you try to find out who is delegated what access in Active Directory?

    Thank you – I look forward to your thoughts.


    • iSiek says :

      Hi George,

      thank you for reading my blog 🙂 and I’m sorry for delayed answer, I was on vacations 😀

      According to your question, there are several ways for that (described in the order of the most useful)…

      1) The best way for that is “Administrator’s documentation” where all users/groups are briefly described. That’s the most useful documentation which shows you all delegated permissions in a domain. In reality, I know how this looks like 😉 and I know that documentation in many cases doesn’t exist 🙂

      This is also very difficult evaluating delegated permissions without the documentation when you overtaking another environment. If delegated permissions documentation doesn’t exist then you need to follow one of below described methods

      2) Using 3rd party tool called LIZA. This is free tool allowing you to gather all necessary information about delegated permissions within a domain. This is really simply in use GUI tool which requires .NET 2.0 Framework, so it might be impossible to run directly on 2003 Domain Controllers. However, this allows you to run from any domain member machine with .Net 2.0 installed (let’s say your notebook 🙂 ) Using this tool you can simply evaluate all delegated tasks to users/groups.

      I would really recommend this way if documentation doesn’t exist at all.

      LIZA can be simply downloaded from

      3) Another method to gather all required information is to use DSACLS command. But this requires scripting knowledge and received output requires much more work that using GUI tool. However, if you’re interested this way, please let me know directly on my e-mail (you can find it in “About me” tab) and I will try to help you using DSACLS command in script mode

      4) The least useful way but also working is to collect all information manually reviewing each container/OU in a domain over “Active Directory Users and Computers” console, documenting them during this action.

      All mentioned methods by me above you can also find described on Microsoft Technet page at


  2. Jason says :

    Hi Krzysztof,

    Why did you create all the gg (global groups)? You only used the dlg groups and the Helpdesk role global group to create that delegated set of rules. The global group named role-HelpDesk-it is a member off all the dlg groups you created. Where did the gg groups with the same names go?


    • iSiek says :

      Hi Jason,

      first of all, I’m really sorry for delayed answer. A lot of work and less time for blog answers.

      Going back to your question. That’s really good you pointed this out. I was using this group name convention due to single forest multiple domain environment where you are responisble for access management in entire forest.

      Normally, as Microsoft best practices you should always add user account into global group. Global group should be a member of universal group or in case that you are not using them, within domain local group(s).

      So, in this case all gg groups (global) are members of each dlg (domain local) with equals name after group scope. In example gg-group1 is a member of dlg-group1. This make sense in multiple domain environmnet whereas in single forest single domain it is not obvious because this structure might be unusefyl to you. This requires double number of groups.

      HelpDesk role is a global security group whihc is a part of domain local groups as granting user membership of that group, allows him all required privilages.
      As Microsoft states that global group should be a member of universal or domain local group, I placed the role group into domain local. I wanted to prevent global group nesting. Of course, if you need and you wish, you may use global group nesting and make that role group a member of of each gg global groups.

      I hope it is a little bit more clear now ?


  3. Scott says :

    I’ve done some delegation to our Helpdesk and have a question. I’ve only delegated the rights to unlock accounts and we’ve discovered that this works if they are using ADUC. If they try to use the newer AD Administrative Center, it does not work. Do you know why and how to fix this?

    • iSiek says :

      Hm, strange. Looks like Active Directory Administrative Center is using also another AD attributes. I will check that and I will let you know


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: