It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!
Delegation the proper way
Published on
38,745 Points
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.
In the article I will show how it applies to Active Directory
I use this process anywhere that I need to setup delegation.
In the article I will show how it applies to Active Directory
This delegation model consists of Delegation Groups and Role Groups. These groups are explained in the following sections.
Delegation Group
Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.
Characteristics
- Can only contain Role Groups
- Cannot be members of any groups
Some examples of a built-in Delegation Group
- Domain Administrators
- Account Operators
Some examples of a custom Delegation Group
- Password Reset
- Manage Group Memberships
Role Group
Role groups should be created based on a specific role that group of people fulfil.
These groups are used to add delegation permissions to via delegation groups.This is done by adding the Role group as a member of the delegation groups for the permissions required.
It is worth noting that this delegation is not limited to AD permissions.
If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the Help Desk Role group.
Characteristics
- Can only contain privileged user accounts
- Can only be member of Delegation Groups
Some examples of a Role Group
- Help Desk
- Server Administrators
Benefits
- No delegation against individual user accounts
- Reuse of Delegation Groups
- Easy to manage
- Quick to determine permissions
- Uncomplicated to assign correct permissions to an individual based on their function
Real world example
Typically help desks will be given delegated permissions to reset passwords. Instead of delegating permissions to various individuals or directly to the help desk group, the following should be done:
- Create an intermediate group, DG-ResetPassword in this example. This is the delegation group.
- Delegate the Reset Password permission to the DG-ResetPassword group.
- Add the help desk group role group, RG-HelpDesk in this example, to the DG-ResetPassword delegation group
By utilising this delegation process, all delegation done to role groups is easily visible from the Member Of tab. In the example below, it is easy to see that the role group for Help Desk, RG-HelpDesk, have join domain, modify group and reset password rights.
It also enables the reuse of delegation groups. In the example below, the same delegation group used for Help Desk, DG-JoinDomain, can be used to assign join domain rights to the Workstation Technician group.
The reverse is also true. It is quick to see which groups have a particular permission. In the example below, looking at the members of the DG-JoinDomain delegation group, it shows which role groups, RG-HelpDesk and RG-WorkstationTechnician in this case, have permissions to join computers to the domain.
Some extensions to Delegwiz.inf
[Version] signature="$CHICAGO$" [DelegationTemplates] Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70 ;--------------------------------------------------------- [template1] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create, delete, and manage user accounts" ObjectTypes = SCOPE, user [template1.SCOPE] user=CC,DC [template1.user] @=GA ;--------------------------------------------------------- ;--------------------------------------------------------- [template2] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset user passwords and force password change at next logon" ObjectTypes = user [template2.user] CONTROLRIGHT= "Reset Password" pwdLastSet=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template3] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Read all user information" ObjectTypes = user [template3.user] @=RP ;---------------------------------------------------------- [template4] AppliesToClasses = organizationalUnit,container Description = "Create, delete and manage groups" ObjectTypes = SCOPE, group [template4.SCOPE] group=CC,DC [template4.group] @=GA ;---------------------------------------------------------- ;---------------------------------------------------------- [template5] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the membership of a group" ObjectTypes = group [template5.group] member=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template6] AppliesToClasses = domainDNS Description = "Join a computer to the domain" ObjectTypes = SCOPE [template6.SCOPE] computer=CC ;---------------------------------------------------------- ;---------------------------------------------------------- [template7] AppliesToClasses = domainDNS,organizationalUnit,site Description = "Manage Group Policy links" ObjectTypes = SCOPE [template7.SCOPE] gPLink=RP,WP gPOptions=RP,WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template8] AppliesToClasses=domainDNS,organizationalUnit Description = "Generate Resultant Set of Policy (Planning)" ObjectTypes = SCOPE [template8.SCOPE] CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)" ;---------------------------------------------------------- ;--------------------------------------------------------- [template9] AppliesToClasses=domainDNS,organizationalUnit Description = "Generate Resultant Set of Policy (Logging)" ObjectTypes = SCOPE [template9.SCOPE] CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)" ;---------------------------------------------------------- ;--------------------------------------------------------- [template10] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create, delete, and manage inetOrgPerson accounts" ObjectTypes = SCOPE, inetOrgPerson [template10.SCOPE] inetOrgPerson=CC,DC [template10.inetOrgPerson] @=GA ;--------------------------------------------------------- ;--------------------------------------------------------- [template11] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset inetOrgPerson passwords and force password change at next logon" ObjectTypes = inetOrgPerson [template11.inetOrgPerson] CONTROLRIGHT= "Reset Password" pwdLastSet=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template12] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Read all inetOrgPerson information" ObjectTypes = inetOrgPerson [template12.inetOrgPerson] @=RP ;---------------------------------------------------------- ;--------------------------------------------------------- [template13] AppliesToClasses=container Description = "Create, Delete, and Manage WMI Filters" ObjectTypes = SCOPE, msWMI-Som [template13.SCOPE] msWMI-Som=CC,DC [template13.msWMI-Som] @=GA ;---------------------------------------------------------- ;--------------------------------------------------------- [template14] AppliesToClasses=domainDNS,organizationalUnit Description = "Create an Organizational Unit" ObjectTypes = SCOPE [template14.SCOPE] organizationalUnit=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template15] AppliesToClasses=domainDNS,organizationalUnit Description = "Delete a child Organizational Unit" ObjectTypes = SCOPE [template15.SCOPE] organizationalUnit=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template16] AppliesToClasses=organizationalUnit Description = "Delete this Organizational Unit" ObjectTypes = organizationalUnit [template16.organizationalUnit] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template17] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename an Organizational Unit" ObjectTypes = organizationalUnit [template17.organizationalUnit] ou=WP name=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template18] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify Description of an Organizational Unit" ObjectTypes = organizationalUnit [template18.organizationalUnit] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template19] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify Managed-By Information of an Organizational Unit" ObjectTypes = organizationalUnit [template19.organizationalUnit] managedBy=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template20] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delegate Control of an Organizational Unit" ObjectTypes = organizationalUnit [template20.organizationalUnit] @=WD ;---------------------------------------------------------- ;--------------------------------------------------------- [template21] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a group" ObjectTypes = SCOPE [template21.SCOPE] group=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template22] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child group" ObjectTypes = SCOPE [template22.SCOPE] group=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template23] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this group" ObjectTypes = group [template23.group] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template24] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a group" ObjectTypes = group [template24.group] cn=WP name=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template25] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the Pre-Windows 2000 compatible name for the group" ObjectTypes = group [template25.group] sAMAccountName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template26] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the description of a group" ObjectTypes = group [template26.group] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template27] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the scope of the group" ObjectTypes = group [template27.group] groupType=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template28] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the type of the group" ObjectTypes = group [template28.group] groupType=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template29] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify notes for a group" ObjectTypes = group [template29.group] info=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template30] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify group membership" ObjectTypes = group [template30.group] member=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template31] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify Managed-By Information of a Group" ObjectTypes = group [template31.group] managedBy=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template32] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a computer account" ObjectTypes = SCOPE [template32.SCOPE] computer=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template33] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child computer account" ObjectTypes = SCOPE [template33.SCOPE] computer=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template34] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this computer account" ObjectTypes = computer [template34.computer] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template35] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a computer account" ObjectTypes = computer [template35.computer] @=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template36] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a computer account" ObjectTypes = computer [template36.computer] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template37] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset a computer account" ObjectTypes = computer [template37.computer] CONTROLRIGHT= "Reset Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template38] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the computer's description" ObjectTypes = computer [template38.computer] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template39] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify Managed-By information for a computer account" ObjectTypes = computer [template39.computer] managedBy=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template40] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify that a computer account be trusted for delegation" ObjectTypes = computer [template40.computer] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template41] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a user account in disabled state" ObjectTypes = SCOPE [template41.SCOPE] user=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template42] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a user account" ObjectTypes = SCOPE , user [template42.SCOPE] user=CC [template42.user] userAccountControl=WP CONTROLRIGHT= "Reset Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template43] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child user account" ObjectTypes = SCOPE [template43.SCOPE] user=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template44] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this user account" ObjectTypes = user [template44.user] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template45] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a user account" ObjectTypes = user [template45.user] cn=WP name=WP distinguishedName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template46] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a user account" ObjectTypes = user [template46.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template47] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Unlock a user account" ObjectTypes = user [template47.user] lockoutTime=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template48] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Enable a disabled user account" ObjectTypes = user [template48.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template49] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset a user account's password" ObjectTypes = user [template49.user] CONTROLRIGHT= "Change Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template50] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Force a user account to change the password at the next logon" ObjectTypes = user [template50.user] CONTROLRIGHT= "Reset Password" userPassword=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template51] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's display name" ObjectTypes = user [template51.user] adminDisplayName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template52] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user account's description" ObjectTypes = user [template52.user] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template53] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's office location" ObjectTypes = user [template53.user] physicalDeliveryOfficeName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template54] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's telephone number" ObjectTypes = user [template54.user] telephoneNumber=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template55] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the location of a user's primary web page" ObjectTypes = user [template55.user] wWWHomePage=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template56] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's UPN" ObjectTypes = user [template56.user] userPrincipalName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template57] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's Pre-Windows 2000 user logon name" ObjectTypes = user [template57.user] sAMAccountName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template58] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the hours during which a user can log on" ObjectTypes = user [template58.user] logonHours=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template59] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the computers from which a user can log on" ObjectTypes = user [template59.user] userWorkstations=WP ;---------------------------------------------------------- ;--------------------------------------------------------- ;[template60] ;AppliesToClasses=domainDNS,organizationalUnit,container ;Description = "Set User cannot change password for a user account" ;ObjectTypes = user ;[template60.user] ;CONTROLRIGHT= "Change Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template61] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Password Never Expires for a user account" ObjectTypes = user [template61.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template62] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Store Password Using Reversible Encryption for a user account" ObjectTypes = user [template62.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template63] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a user account" ObjectTypes = user [template63.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template64] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Smart card is required for interactive logon for a user account" ObjectTypes = user [template64.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template65] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Account is sensitive and cannot be delegated for a user account" ObjectTypes = user [template65.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template66] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Use DES encryption types for this account for a user account" ObjectTypes = user [template66.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template67] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Do not require Kerberos pre-authentication for a user account" ObjectTypes = user [template67.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template68] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the date when a user account expires" ObjectTypes = user [template68.user] accountExpires=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template69] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify a profile path for a user" ObjectTypes = user [template69.user] profilePath=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template70] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify a logon script for a user" ObjectTypes = user [template70.user] scriptPath=WP ;----------------------------------------------------------
Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.
It also provides me with positive feedback. Thank you!
-
3
3
7 Comments
Hi Shaun,
Thanks for the useful article explaining rights delegation based on roles for groups. This will help to standardise rights across members in a role as well as to prevent breadcrumb delegations.
Thanks for the useful article explaining rights delegation based on roles for groups. This will help to standardise rights across members in a role as well as to prevent breadcrumb delegations.
Active today
Within Server 2016 Active Directory I have a HelpDesk group in AD, and need to delegate the permissions to:
o Join PC to domain
o Create a user account
o Reset user password (without having the rights to delete or manage user accounts).
How can the final right to simply reset user passwords be assigned without allowing this HelpDesk AD group to have the rights to delete or manage existing user accounts)?
I have looked in the "Tasks to Delegate" wizard and have seen that there is a checkbox for "Create, delete, and manage user accounts" when the only right I want to give the HelpDesk group is to create users without them having the right to delete or manage user accounts.
How can this be done?
o Join PC to domain
o Create a user account
o Reset user password (without having the rights to delete or manage user accounts).
How can the final right to simply reset user passwords be assigned without allowing this HelpDesk AD group to have the rights to delete or manage existing user accounts)?
I have looked in the "Tasks to Delegate" wizard and have seen that there is a checkbox for "Create, delete, and manage user accounts" when the only right I want to give the HelpDesk group is to create users without them having the right to delete or manage user accounts.
How can this be done?
Active today
Create delegation groups for the following permissions
o Join PC to the domain
o Create a user account
Custom task
o Reset user password (without having the rights to delete or manage user accounts).
Create a role group for your help desk and add it to the above delegation groups
Add helpdesk administrative accounts to the role group
o Join PC to the domain
o Create a user accountCustom task
o Reset user password (without having the rights to delete or manage user accounts).Create a role group for your help desk and add it to the above delegation groups
Add helpdesk administrative accounts to the role group
Active today
What process can I use to see if some of these rights have already been delegated?
Another domain administrator told me he already delegated these rights, but he might have simply delegated them to the wrong group or Organizational Unit (OU).
How can I search all of Active Directory to see if any of these rights have already been applied somewhere?
Another domain administrator told me he already delegated these rights, but he might have simply delegated them to the wrong group or Organizational Unit (OU).
How can I search all of Active Directory to see if any of these rights have already been applied somewhere?
Active today
You can use DSACLS or you can just open properties/security in Active Directory users and computers
Active today
How can I extend the right for a particular AD group to be able to delete any existing Windows 10 computer account (without having the rights to delete or reset any of the server computer accounts)?
Featured Post
This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.
Suggested Articles
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges.
Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Other articles by this author
Suggested Courses
Next Article:SSL Name Mismatch Errors and How to Fix Them