Delegate Control Wizard reports

crib bar 576 Reputation points
2024-04-16T11:36:29.4566667+00:00

Does the Delegate Control Wizard in AD allow an auditor to view which permissions have already been 'delegated' within AD/a domain? Or is it purely for delegating new permissions? If it does not, how exactly could you determine where such permissions have been deleted and to whom within AD objects in the domain?

Purely out of interest, what sort of 'day to day' permissions & tasks is it common to delegate in AD?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions
0 comments
Accepted answer
  1. Marcin Policht 12,320 Reputation points MVP
    2024-04-16T11:49:35.6166667+00:00

    In short, no.

    For tracking permission changes, you'd need to implement auditing. Details at

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/use-audit-active-directory-objects-track-events

    For the best practices regarding delegation, refer to https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest