The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to Check Delegation for Any User Account in Active Directory?


Posts: 1
Date: Aug 23, 2013
How to Check Delegation for Any User Account in Active Directory?


I'd like to know how I can check delegation for any user account in Active Directory ?

We have a situation wherein the management of our Active Directory environment is being transferred from the Network Management team to the Security Operations team, because management has deemed that security of Active Directory is critical to the organization.

As a result, we are in the process of transferring the management of Active Directory as well all delegations for identify and access management to a new group of IT analysts in our Security Operations team.

As a part of the transfer, one of the challenges we are faced with is checking and documenting all existing delegations in the Active Directory. Our deployment is about 8 years old, and we use the delegation of administration capability extensively, as it has helped us meet some of our decentralized management requirements.

Now, management wants to change all the delegations, and before transferring authority over, they want to ensure that they have documented which user accounts are currently delegated what admin tasks in the Active Directory, especially on our core user and computer OUs, so they can figure out how to perform the new delegations as well.

As strange as this sounds, we have never tried to document our delegations till now, so although we have been delegating for a long time, we're not sure how to document our existing delegations.

We have started looking at ACLs on all our core organizational units, and on all user accounts and computers aco****s, but there are simply way too many objects to be able to look at all of them and try to analyze who is delegated what tasks in the Active Directory.

So, I would like to know if there is any easy way to solve this problem i.e. check / audit delegations in our Active Directory so we can document them easily.



Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me