Solved

Active Directory Delegation

Posted on 2008-10-01
10
304 Views
Last Modified: 2010-03-17
I went to ADUC and the delegation of control wizard to delgate the authority to perform ceertain tasks.  The problem i have how do I tell whom I've delegated control and how to remove it?  I don't se the user I just delegated control to liste din the wizard the next time i launch it?
0
Comment
Question by:georgedschneider
  • 5
  • 4
10 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22615993

Hey,

You'd have to look at the security tab I'm afraid.

All the delegation wizard does is provide you with a friendly face for setting the security on a container / OU / object.

Chris
0
 

Author Comment

by:georgedschneider
ID: 22616025
How do I remove the rights I just added through the security tab?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22616092
You need to edit the security settings on the security tab in the same was as you would permissions on a file or folder.

BTW its best practice only to delegate to groups - even if that group contains only one person initially. That way if you want to revoke permissions you just remove the user from the group - or you can add users to the group to grant them the permissions.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22616102

If they're not clear under the main security box you'll have to head into Advanced and pick them out of the list again. Depending on what you set it might not really be very hard, for instance, if you applied something to only user accounts watch out for the object type under the "Applies to" column.

Chris
0
 

Author Comment

by:georgedschneider
ID: 22617989
can I use a tool such dsacls to do this?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 22618009

Sure, it's just less clear than the GUI :) But if you're happy with it you should be fine modifying the ACLs.

Chris
0
 

Author Comment

by:georgedschneider
ID: 22618237
The problem I'm having is lookng at the security tab I'm having a hard time telling what rights are the delegated authorities I've granted.  How can I determine what are the delegated authorities verses noraml security rights granted to the object.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22618427

You can't, there's no such difference. As I said above, all the delegation wizard does is dress up the security modification in a friendly form to allow these to be set without having to dig into the underlying rights.

That said, you're likely to find that the permissions are moderately obvious because they'll be explicit at that level rather than implicit because of inheritance.

Which of the permissions are "Not inherited"?

Chris
0
 

Author Comment

by:georgedschneider
ID: 22665597
Would the best way to ctrate a temp account check its rights and then deletgate authority and see what has chnaged?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22667185

I normally delegate permissions to a group, but in effect that's the same thing and your approach would certainly work well to see the impact of the change.

Chris
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now