?
Solved

Delegation in Active directory

Posted on 2010-01-12
6
Medium Priority
?
663 Views
Last Modified: 2012-05-08
In the Delegation option in Active Directory (Windows 2003), I gave access to someone to modify the user details of such, and now I changed my mind, I want to remove that user's access. But I can't find such option?

Also, how can I check what users I added to the Delegation thing? Is there such a report to show me the users added there and what roles they can perform on the Active directory / domain?
0
Comment
Question by:kvelkhoury
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 600 total points
ID: 26295805
in ADUC go to view -> advanced settings

then right click properties on the OU you want to change the delegation go to security

that's it

all what the delegation wizard does is setting permissions
0
 
LVL 18

Expert Comment

by:Americom
ID: 26296114
in the future, grant permission and any typed of permission of any resources by group and never grant individual user accout so that you don't have to make changes on the advanced settings but only need to remove that user from the group.
0
 

Author Comment

by:kvelkhoury
ID: 26300976
You guys didn't get me. I don't want to know how to use Delegation, I want to know if I added someone for some function then I wanted to remove, how can I do such, AND also how can I know whom was added to the delegation before (I came to the project after everything is set up and don't know if mistakes happened by adding wrong people to do such and such)
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 49

Expert Comment

by:Akhater
ID: 26301123
I told you how in my first post,
"
in ADUC go to view -> advanced settings

then right click properties on the OU you want to change the delegation go to security

that's it

"
0
 

Author Comment

by:kvelkhoury
ID: 26302087
Akhater, I chose the advanced setting for the view, then when I chose properties on the OU, I go to security, but all I see is the "READ/WRITE/ETC.." on groups. But I've set once for some USER to change passwords for users, now where do I find that option for me to REMOVE??
0
 
LVL 18

Accepted Solution

by:
Americom earned 1400 total points
ID: 26304834
Whatever user or group you have delegated, it appears as a result of "READ/WRITE/ET" when you click on the security tab of an OU or user/computer object. There you can see all the groups or user with respective permissions, these are the AD ACEs. To dig into more specific the you click on the "Advanced" button. It is not very friendly and could be very messy when making adjustment there if you were not the one originally make the delgation. That was the reason why I suggest in the future, any delgation should be done to a group and not a user account and the group should take note of what the delgation was for etc.

To really find out what you need, you need to do the above or find out the user's membership association etc to troubleshoot. The other way is to do another delgation to override the previous one so that you can have better control as to who should have what right based on the group memebership.

There are no simple tool where you can report in a friendly view of all the ACEs as they are much more complicated than the NTFS folder permissions. The software we occassionally use to troubleshoot these ACEs setting for specific AD object(user or group) is call Active Administrator from www.scriptlogic.com. It's not a cheap product as it does more other AD management such as security alerts, GPOs, etc. But even with such products, you still need to be familiar with how delgation changes the ACEs.

Your best bet to your question above is to first look at an OU where you know you have not made any delgation and compare with the OU that you have done the delgation. You should see the user or group that you gave permission via the delgation listed there in addition to other default groups under the "Group or user names" of the security tab.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question