In large organizations, there are several teams of IT administrators and help desk specialists, in this case delegation is needed. For example, help desk specialists or team leaders may reset passwords, system administrators may change group memberships, and only IT architects admins may manage OUs. This separation of duties is really helpful for operations and security.
To perform delegation of control you need Domain Admins permissions or have full control on the OUs you want to delegate control over. You can do that several ways: via ADUC, command prompt and others.
Delegation via ADUC
In order to delegate control via Active Directory Users and Computers (dsa.msc). Follow these:
Run dsa.msc. Rightclick the needed OU, and select Delegate control...
The Delegation of Control Wizard appears where you need to click “Next”. Then click “Add...” choose to whom you want to delegate control and click Next
On the Tasks to Delegate window, select the tasks you want to delegate, you can also Create a custom task from scratch.
Click Next and Finish.
Delegation permissions can be viewed in OU’s properties on the Security tab.
Delegation via the command line
For permissions delegation Microsoft developed dsacls.exe. It is good for scripted deployments. It is also good for displaying current permissions. You can use /a parameter to display all permissions for the OU, for example:
dsacls.exe "OU=Employees,DC=office,dc=local" /a
Here we can see KJenkins permissions which we’ve delegated in our previous example.
In order to add new delegated privileges for an account we need to assign to it permissions according to certain syntax. Syntax consists of basic permissions and Advanced, here is the list of basic permissions:
- GR - Generic read
- GE - Generic execute
- GW - Generic write
- GA - Generic full control
The most popular advanced permissions:
- SD - Delete
- DT - Delete an object and all child objects
- RC - Read security information
- WD - Change security information
- WO - Change owner information
- CC - Create child object
- DC - Delete child object
- RP - Read property
- WP - Write property
Lets delegate to our user KJenkins Delete permissions to Employees OU:
dsacls.exe "OU=Employees,DC=office,DC=local" /G OFFICEKJenkins:SD;
Delegation via the built-in groups
By default, there are built-in groups, such as Account Operators and Server Operators which has administrative tasks in Active Directory.
You can place any user to these groups and get additional permissions in domain without the need to grant full control access. But be warned that built-in Account Operators group provides more permissions than are actually required. They can create, modify, and delete all objects, except members of the Domain Admins group, in all OUs except the Domain Controllers OU.
Best Practices for OU Rights Delegation
- Build a delegation control matrix to document all access rights to your AD
- Always use groups when delegating permissions, don’t use individual user accounts. It will be easier and more secure for you to grant delegation access
- Avoid deny permissions because they take precedence over allowed ones and this can make your access lists too complex to manage.
- Try to test the delegation settings for any unwanted effects.