The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to perform an Active Directory Delegation (i.e. Delegated Access Rights) Audit?


Posts: 3
Date: Jan 3, 2013
How to perform an Active Directory Delegation (i.e. Delegated Access Rights) Audit?

Hello Forum,

I would like to know how to perform a Delegation (i.e. Delegated Access Rights) Audit in Active Directory. One of our clients has requested that we assist them in enumerating and documenting delegated access rights in their environment, and we're trying to find the best way to do this.

Basically, they have a bunch of delegated access rights in their Active Directory, which have been around for almost 5 years now, and they are trying to audit who is delegated what rights in their Active Directory. They've requested us because they want an outside party to perform an independent audit of their delegations.

Although we've assisted many clients in Active Directory migrations, capacity planning, and other aspects of Active Directory management, we're a bit new to the Active Directory audit space, so thought of getting some inputs before we gave any sort of commitment. We have a good relationship with this client, so we would like to help them ourselves if we can.

Thank you for your help.




Posts: 12
Date: Feb 12, 2013
RE: How to perform an Active Directory Delegation (i.e. Delegated Access Rights) Audit?


This is not an easy problem to solve, but the good news is that it is solvable.

You basically have two options to do this -

  • Option 1 - Manually find out who is delegated what access in Active Directory. This is a good option if you time at your disposal (about 30 minutes per object) and are good at Active Directory security. If so, you can use a free tool like dsacls to manually determine effective access delegated on each object in your Active Directory, and then map this information to delegated tasks to figure out who is delegated what access in your Active Directory. Here is some info on how to manually do this.


  • Option 2 - The second option is to use a tool that automates the process of determining who is delegated what access for you (; here is an example of one such tool). The downside of this option is that such tools are very specialized so are not free, but the upside is that you can instantly get this information, and it can save you a lot of time and effort.


If you have any questions about this, just let me know, and I'll try to answer them for you.


Bond: There’s a name to die for! (Die Another Day)

Veteran Member

Posts: 28
Date: Feb 28, 2013
How to perform an Active Directory Delegation (i.e. Delegated Access Rights) Audit?

Hi Salim,

It is unfortunately not easy to perform an Active Directory Delegation Audit, especially manually because doing so involved determining effective permissions in Active Directory and that is a very difficult thing to do, since the default Effective Permissions tab in Active Directory is not reliable.

If you must do it manually, I would suggest get your hands on a good Active Directory Permissions Analyzer and then proceed to determining effective permissions manually.

If you want to save yourself a lot of time and effort, as Nicolas too pointed out, the other option is to find a good automated Active Directory Audit Tool, such as this one, that is capable of performing AD access audits, and use it to fulfill your need.

So, it all boils down to a trade-off between time and effort on one hand, and cost on the other. Doing it manually will involve lots of time and effort, but could save you some money, and a good tool could save you lots of time and effort, but cost you some money. Most companies I have worked with seem to prefer the use of a tool as they feel that the time and effort of their admins is far more valuable than to have it being spent on painful and time-consuming manual access audits.

I hope this helps.



We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me