<

Delegation the proper way

Published on
31,625 Points
1,825 Views
8 Endorsements
Last Modified:
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.

In the article I will show how it applies to Active Directory

This delegation model consists of Delegation Groups and Role Groups. These groups are explained in the following sections.

delegate.pngDelegation Group

Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.


Characteristics

  • Can only contain Role Groups
  • Cannot be members of any groups

Some examples of a built-in Delegation Group

  • Domain Administrators
  • Account Operators

Some examples of a custom Delegation Group

  • Password Reset
  • Manage Group Memberships


roles.pngRole Group

Role groups should be created based on a specific role that group of people fulfil.


These groups are used to add delegation permissions to via delegation groups.This is done by adding the Role group as a member of the delegation groups for the permissions required.

It is worth noting that this delegation is not limited to AD permissions.


If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the Help Desk Role group.


Characteristics

  • Can only contain privileged user accounts
  • Can only be member of Delegation Groups

Some examples of a Role Group

  • Help Desk
  • Server Administrators

Benefits

  • No delegation against individual user accounts 
  • Reuse of Delegation Groups
  • Easy to manage
  • Quick to determine permissions
  • Uncomplicated to assign correct permissions to an individual based on their function


Real world example

Typically help desks will be given delegated permissions to reset passwords. Instead of delegating permissions to various individuals or directly to the help desk group, the following should be done:

 

  1. Create an intermediate group, DG-ResetPassword in this example. This is the delegation group.
  2. Delegate the Reset Password permission to the DG-ResetPassword group.
  3. Add the help desk group role group, RG-HelpDesk in this example, to the DG-ResetPassword delegation group

1.jpg

By utilising this delegation process, all delegation done to role groups is easily visible from the Member Of tab. In the example below, it is easy to see that the role group for Help Desk, RG-HelpDesk, have join domain, modify group and reset password rights.


2.jpgIt also enables the reuse of delegation groups. In the example below, the same delegation group used for Help Desk, DG-JoinDomain, can be used to assign join domain rights to the Workstation Technician group.


3.jpgThe reverse is also true. It is quick to see which groups have a particular permission. In the example below, looking at the members of the DG-JoinDomain delegation group, it shows which role groups, RG-HelpDesk and RG-WorkstationTechnician in this case, have permissions to join computers to the domain.


4.jpg


Some extensions to Delegwiz.inf


[Version]
signature="$CHICAGO$"

[DelegationTemplates]

Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70
;---------------------------------------------------------
[template1]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create, delete, and manage user accounts"

ObjectTypes = SCOPE, user

[template1.SCOPE]
user=CC,DC

[template1.user]
@=GA
;---------------------------------------------------------

;---------------------------------------------------------
[template2]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset user passwords and force password change at next logon"

ObjectTypes = user

[template2.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template3]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Read all user information"

ObjectTypes = user

[template3.user]
@=RP

;----------------------------------------------------------
[template4]
AppliesToClasses = organizationalUnit,container

Description = "Create, delete and manage groups"

ObjectTypes = SCOPE, group

[template4.SCOPE]
group=CC,DC

[template4.group]
@=GA

;----------------------------------------------------------


;----------------------------------------------------------
[template5]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the membership of a group"

ObjectTypes = group

[template5.group]
member=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS

Description = "Join a computer to the domain"

ObjectTypes = SCOPE

[template6.SCOPE]
computer=CC
;----------------------------------------------------------



;----------------------------------------------------------
[template7]
AppliesToClasses = domainDNS,organizationalUnit,site

Description = "Manage Group Policy links"

ObjectTypes = SCOPE

[template7.SCOPE]
gPLink=RP,WP
gPOptions=RP,WP
;----------------------------------------------------------

;---------------------------------------------------------
[template8]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Generate Resultant Set of Policy (Planning)"

ObjectTypes = SCOPE

[template8.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)"
;----------------------------------------------------------

;---------------------------------------------------------
[template9]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Generate Resultant Set of Policy (Logging)"

ObjectTypes = SCOPE

[template9.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)"
;----------------------------------------------------------

;---------------------------------------------------------
[template10]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create, delete, and manage inetOrgPerson accounts"

ObjectTypes = SCOPE, inetOrgPerson

[template10.SCOPE]
inetOrgPerson=CC,DC

[template10.inetOrgPerson]
@=GA
;---------------------------------------------------------



;---------------------------------------------------------
[template11]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset inetOrgPerson passwords and force password change at next logon"

ObjectTypes = inetOrgPerson

[template11.inetOrgPerson]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template12]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Read all inetOrgPerson information"

ObjectTypes = inetOrgPerson

[template12.inetOrgPerson]
@=RP

;----------------------------------------------------------

;---------------------------------------------------------
[template13]
AppliesToClasses=container

Description = "Create, Delete, and Manage WMI Filters"

ObjectTypes = SCOPE, msWMI-Som

[template13.SCOPE]
msWMI-Som=CC,DC

[template13.msWMI-Som]
@=GA
;----------------------------------------------------------

;---------------------------------------------------------
[template14]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Create an Organizational Unit"

ObjectTypes = SCOPE

[template14.SCOPE]
organizationalUnit=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template15]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Delete a child Organizational Unit"

ObjectTypes = SCOPE

[template15.SCOPE]
organizationalUnit=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template16]
AppliesToClasses=organizationalUnit

Description = "Delete this Organizational Unit"

ObjectTypes = organizationalUnit

[template16.organizationalUnit]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template17]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename an Organizational Unit"

ObjectTypes = organizationalUnit

[template17.organizationalUnit]
ou=WP
name=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template18]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify Description of an Organizational Unit"

ObjectTypes = organizationalUnit

[template18.organizationalUnit]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template19]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify Managed-By Information of an Organizational Unit"

ObjectTypes = organizationalUnit

[template19.organizationalUnit]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template20]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delegate Control of an Organizational Unit"

ObjectTypes = organizationalUnit

[template20.organizationalUnit]
@=WD
;----------------------------------------------------------

;---------------------------------------------------------
[template21]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a group"

ObjectTypes = SCOPE

[template21.SCOPE]
group=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template22]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child group"

ObjectTypes = SCOPE

[template22.SCOPE]
group=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template23]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this group"

ObjectTypes = group

[template23.group]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template24]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a group"

ObjectTypes = group

[template24.group]
cn=WP
name=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template25]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the Pre-Windows 2000 compatible name for the group"

ObjectTypes = group

[template25.group]
sAMAccountName=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template26]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the description of a group"

ObjectTypes = group

[template26.group]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template27]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the scope of the group"

ObjectTypes = group

[template27.group]
groupType=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template28]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the type of the group"

ObjectTypes = group

[template28.group]
groupType=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template29]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify notes for a group"

ObjectTypes = group

[template29.group]
info=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template30]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify group membership"

ObjectTypes = group

[template30.group]
member=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template31]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify Managed-By Information of a Group"

ObjectTypes = group

[template31.group]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template32]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a computer account"

ObjectTypes = SCOPE

[template32.SCOPE]
computer=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template33]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child computer account"

ObjectTypes = SCOPE

[template33.SCOPE]
computer=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template34]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this computer account"

ObjectTypes = computer

[template34.computer]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template35]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a computer account"

ObjectTypes = computer

[template35.computer]
@=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template36]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a computer account"

ObjectTypes = computer

[template36.computer]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template37]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset a computer account"

ObjectTypes = computer

[template37.computer]
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template38]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the computer's description"

ObjectTypes = computer

[template38.computer]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template39]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify Managed-By information for a computer account"

ObjectTypes = computer

[template39.computer]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template40]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify that a computer account be trusted for delegation"

ObjectTypes = computer

[template40.computer]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template41]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a user account in disabled state"

ObjectTypes = SCOPE

[template41.SCOPE]
user=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template42]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a user account"

ObjectTypes = SCOPE , user

[template42.SCOPE]
user=CC

[template42.user]
userAccountControl=WP
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template43]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child user account"

ObjectTypes = SCOPE

[template43.SCOPE]
user=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template44]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this user account"

ObjectTypes = user

[template44.user]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template45]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a user account"

ObjectTypes = user

[template45.user]
cn=WP
name=WP
distinguishedName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template46]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a user account"

ObjectTypes = user

[template46.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template47]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Unlock a user account"

ObjectTypes = user

[template47.user]
lockoutTime=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template49]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset a user account's password"

ObjectTypes = user

[template49.user]

CONTROLRIGHT= "Change Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template50]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Force a user account to change the password at the next logon"

ObjectTypes = user

[template50.user]
CONTROLRIGHT= "Reset Password"
userPassword=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template51]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's display name"

ObjectTypes = user

[template51.user]
adminDisplayName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template52]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user account's description"

ObjectTypes = user

[template52.user]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template53]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's office location"

ObjectTypes = user

[template53.user]
physicalDeliveryOfficeName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template54]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's telephone number"

ObjectTypes = user

[template54.user]
telephoneNumber=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template55]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the location of a user's primary web page"

ObjectTypes = user

[template55.user]
wWWHomePage=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template56]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's UPN"

ObjectTypes = user

[template56.user]
userPrincipalName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template57]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's Pre-Windows 2000 user logon name"

ObjectTypes = user

[template57.user]
sAMAccountName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template58]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the hours during which a user can log on"

ObjectTypes = user

[template58.user]
logonHours=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template59]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the computers from which a user can log on"

ObjectTypes = user

[template59.user]
userWorkstations=WP
;----------------------------------------------------------

;---------------------------------------------------------
;[template60]
;AppliesToClasses=domainDNS,organizationalUnit,container

;Description = "Set User cannot change password for a user account"

;ObjectTypes = user

;[template60.user]

;CONTROLRIGHT= "Change Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template61]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Password Never Expires for a user account"

ObjectTypes = user

[template61.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template62]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Store Password Using Reversible Encryption for a user account"

ObjectTypes = user

[template62.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template63]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a user account"

ObjectTypes = user

[template63.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template64]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Smart card is required for interactive logon for a user account"

ObjectTypes = user

[template64.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template65]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Account is sensitive and cannot be delegated for a user account"

ObjectTypes = user

[template65.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template66]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Use DES encryption types for this account for a user account"

ObjectTypes = user

[template66.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template67]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Do not require Kerberos pre-authentication for a user account"

ObjectTypes = user

[template67.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template68]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the date when a user account expires"

ObjectTypes = user

[template68.user]
accountExpires=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template69]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify a profile path for a user"

ObjectTypes = user

[template69.user]
profilePath=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template70]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify a logon script for a user"

ObjectTypes = user

[template70.user]
scriptPath=WP
;----------------------------------------------------------


Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.

It also provides me with positive feedback. Thank you!

8
Comment
1 Comment

Expert Comment

by:Jason Brown
Hi Shaun,

Thanks for the useful article explaining rights delegation based on roles for groups. This will help to standardise rights across members in a role as well as to prevent breadcrumb delegations.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Join & Write a Comment

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month