Management of Active Directory is commonly delegated to local or departmental administrators. This means that certain individuals are (for example) granted permission to create user accounts and manage security groups within a given area of the directory. Microsoft provides a built-in wizard (known as the Delegation of Control Wizard) to delegate these tasks which does the work of applying all the underlying permissions associated to the task.
For example, here are just a few of the many underlying permissions granted when you delegate the task [Create, delete, and manage user accounts] over an OU:
- List Contents
- List Object
- Delete Object
- Delete Subtree
- Read Permissions
- Read All Properties
- Modify Permissions
- Modify Owner
There are potentially hundreds of underlying permissions for any given delegated task. The challenge, therefore, lies in being able to understand and report-on which rights have been delegated over time. How do you know who has been delegated those permissions? How do you know when underlying permissions are updated after the wizard has applied the task? Or when rights are applied directly without using the wizard? How do you know who has rights to create accounts through their group memberships when groups may be several levels deep?
NetVision’s Access Rights Inspector has built-in ability for in-depth reporting on rights over Active Directory objects and that includes reporting on the tasks delegated via the Delegation of Control Wizard. It provides extremely useful reports and removes the guesswork and manual effort associated with understanding what tasks have been delegated throughout Active Directory.