Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 674
  • Last Modified:

Delegation in Active directory

In the Delegation option in Active Directory (Windows 2003), I gave access to someone to modify the user details of such, and now I changed my mind, I want to remove that user's access. But I can't find such option?

Also, how can I check what users I added to the Delegation thing? Is there such a report to show me the users added there and what roles they can perform on the Active directory / domain?
0
kvelkhoury
Asked:
kvelkhoury
  • 2
  • 2
  • 2
2 Solutions
 
AkhaterCommented:
in ADUC go to view -> advanced settings

then right click properties on the OU you want to change the delegation go to security

that's it

all what the delegation wizard does is setting permissions
0
 
AmericomCommented:
in the future, grant permission and any typed of permission of any resources by group and never grant individual user accout so that you don't have to make changes on the advanced settings but only need to remove that user from the group.
0
 
kvelkhouryAuthor Commented:
You guys didn't get me. I don't want to know how to use Delegation, I want to know if I added someone for some function then I wanted to remove, how can I do such, AND also how can I know whom was added to the delegation before (I came to the project after everything is set up and don't know if mistakes happened by adding wrong people to do such and such)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
AkhaterCommented:
I told you how in my first post,
"
in ADUC go to view -> advanced settings

then right click properties on the OU you want to change the delegation go to security

that's it

"
0
 
kvelkhouryAuthor Commented:
Akhater, I chose the advanced setting for the view, then when I chose properties on the OU, I go to security, but all I see is the "READ/WRITE/ETC.." on groups. But I've set once for some USER to change passwords for users, now where do I find that option for me to REMOVE??
0
 
AmericomCommented:
Whatever user or group you have delegated, it appears as a result of "READ/WRITE/ET" when you click on the security tab of an OU or user/computer object. There you can see all the groups or user with respective permissions, these are the AD ACEs. To dig into more specific the you click on the "Advanced" button. It is not very friendly and could be very messy when making adjustment there if you were not the one originally make the delgation. That was the reason why I suggest in the future, any delgation should be done to a group and not a user account and the group should take note of what the delgation was for etc.

To really find out what you need, you need to do the above or find out the user's membership association etc to troubleshoot. The other way is to do another delgation to override the previous one so that you can have better control as to who should have what right based on the group memebership.

There are no simple tool where you can report in a friendly view of all the ACEs as they are much more complicated than the NTFS folder permissions. The software we occassionally use to troubleshoot these ACEs setting for specific AD object(user or group) is call Active Administrator from www.scriptlogic.com. It's not a cheap product as it does more other AD management such as security alerts, GPOs, etc. But even with such products, you still need to be familiar with how delgation changes the ACEs.

Your best bet to your question above is to first look at an OU where you know you have not made any delgation and compare with the OU that you have done the delgation. You should see the user or group that you gave permission via the delgation listed there in addition to other default groups under the "Group or user names" of the security tab.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now