News Stay informed about the latest enterprise technology news and product updates.

Ask Microsoft: How can I determine what AD rights have been delegated?

A senior director and service manager for Microsoft's internal IT organization explain how to troubleshoot Active Directory rights and object delegation.

On a regular basis, top Microsoft executives answer readers' toughest technical questions about Windows-based systems. This installment of "Ask Microsoft" was answered by Michelle Beaulieu, Identity Management Service Manager, Microsoft IT, and Karen Vasishth, Senior Director, Microsoft IT.

To submit a technical question for consideration, send an email to [email protected].

Question: I recently took over admin duties of a large Active Directory network. How can I determine what AD rights have been delegated and to what objects? Is there a functionality in the wizard for this?

Answer: Microsoft Active Directory is an object-based directory service that provides the foundation for infrastructure and identity management for networks built on Microsoft Windows Server 2000 and later. The delegation of rights on organizational unit (OU) containers of objects (and by extension to all of the objects in that OU) is an efficient, flexible, and extremely powerful method of conferring the appropriate rights to perform specific operations to specific individuals or groups. Deriving the delegated rights based on the documentation of your organization's delegation plan is usually the best place to start.

Presuming that delegation has been done through the Delegation Wizard, then inspecting the permissions granted on the higher level container will show which users/groups have permissions to operate (and in what manner) on that container and any object contained within it. To determine which users have rights on a specific object in Active Directory, open the Active Directory console, navigate to the desired object and right click on it, then select Properties. From the object's Properties dialog, choose the Security tab, click on Advanced, and then choose the Permissions tab. Double-click on any object you wish to inspect to see the full list of permissions specified for that object.

Determining the complete set of all user rights on all objects in Active Directory could be done by using automation to retrieve the list of all users, groups, and nested groups and their specified attributes and ACLs on objects within Active Directory, then filtering the list on whatever selection criteria you choose. For a list of the Active Directory scripts available on Microsoft TechNet, go to:
-- Michelle Beaulieu and Karen Vasishth

Dig Deeper on Windows systems and network management