How to Safely Delegate Control In Active Directory

How to Safely Delegate Control In Active Directory

In this blog post, I’ll show you How to Safely Delegate Control In Active Directory to other users in the organization without giving them Administrative Rights that will break things In Active Directory.

Using Active Directory delegation, we could break down the tasks we want to delegate and be very specific with the permission we give away users without compromising the security and health of the organization.

Many Active Directory environments are not secure and very venerable to attacks from In and out of the organization because of poor delegation control relaxed permissions control.

The tool used to delegate Control in Active Directory Is called The Delegation of Control Wizard and Is accessible from the Active Directory Console.

To delegate Control, we need to be logged on with an Admin Account and start the wizard from the Active Directory Users and Computer console by right click on the domain name and select Delegation Control

AD Management Console.
AD Management Console.

To start the wizard click next

AD Delegation wizard.
AD Delegation wizard.

Click add to select the user we want to delegate control to

AD Delegation wizard.
AD Delegation wizard.

You can select one user, multiple or a group (best to use groups)

In my case, I’ll delegate few permissions as shown below.

Note: If you scroll down the list you will see that there many tasks that can be easily assigned and we could be very specific with what we give users to do.

For example, you could specific user the task of joining computers to the domain and to another user the task of resetting passwords.

AD Delegation wizard.
AD Delegation wizard.

Click Finish and close the wizard

For the delegation to work, ask the user to log off before trying to manage Active Directory.




Search blogs




Bitnami