![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 45%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEJ%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello E J,
Thank you for your question and for reaching out with your question today.
To delegate access from one Active Directory (AD) computer object to another, you will need the appropriate permissions within AD. Specifically, you will require the following permissions:
1. Delegate Control permission:
- To delegate control from one computer object to another, you need the "Delegate Control" permission on the source computer object.
- This permission allows you to specify which actions can be performed on the source computer object and delegate those permissions to a specific user or group.
2. Write All Properties permission:
- To modify the necessary properties of the target computer object, you need the "Write All Properties" permission on the target computer object.
- This permission allows you to modify the necessary attributes, such as the "msDS-AllowedToActOnBehalfOfOtherIdentity" attribute, which is used to grant access to the target computer object.
To grant these permissions, you will typically require the following roles or membership:
1. Domain Admins:
- Members of the Domain Admins group have full administrative rights over the entire Active Directory domain. By default, they have the necessary permissions to delegate control and modify computer object properties.
- However, it is not recommended to grant this level of access to regular users unless absolutely necessary for administrative purposes.
2. Custom Role:
- To create a custom role with the necessary permissions, you can define a new role in Active Directory with specific privileges for delegating control and modifying computer object properties.
- You can use the built-in Active Directory administrative tools, such as Active Directory Users and Computers, to create a custom role and assign the required permissions.
- Ensure that the custom role has appropriate limitations and is only assigned to trusted administrators who need the specific delegation capabilities.
Please note that the exact steps for creating a custom role and assigning permissions may vary based on your specific AD environment and administrative tools.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.
Best regards.