Share via

Delegate Control Wizard reports

crib bar 846 Reputation points
2024-04-16T11:36:29.4566667+00:00

Does the Delegate Control Wizard in AD allow an auditor to view which permissions have already been 'delegated' within AD/a domain? Or is it purely for delegating new permissions? If it does not, how exactly could you determine where such permissions have been deleted and to whom within AD objects in the domain?

Purely out of interest, what sort of 'day to day' permissions & tasks is it common to delegate in AD?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments
Accepted answer
  1. Marcin Policht 50,730 Reputation points MVP Volunteer Moderator
    2024-04-16T11:49:35.6166667+00:00

    In short, no.

    For tracking permission changes, you'd need to implement auditing. Details at

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/use-audit-active-directory-objects-track-events

    For the best practices regarding delegation, refer to https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.