Verifying Active Directory Delegation is Accurate

Introduction

Microsoft built Active Directory such that non-Domain Admins could have the ability to perform administrative actions on certain objects within Active Directory. This concept, called delegation, is used by most that have installed Active Directory. Common delegations include resetting passwords for users, modifying group membership, adding computers to an organizational unit, and more. Microsoft provides this delegation through a wizard that is part of the Active Directory Users and Computers tool. The delegation wizard is very straightforward and simple, yet the configurations that it makes to implement the delegation can be quite complex. This complexity, and the fact that verifying the delegations that have been granted are quite difficult, begs the need for a solution to verify the delegations that are in place so that access to Active Directory is correct.

Concept of Delegation

Delegation is the concept that a domain administrator can allow a non-domain administrator the ability to control various tasks over specified objects in Active Directory. The delegations are easy to setup, can be narrowed to only provide control over a portion of objects in Active Directory, and can be set up for individual users (not suggested) or groups. Here are some examples for delegations that are commonly used in Active Directory.

Example 1:
The Engineering department has 25 users and the user accounts are located in the Engineering organization unit (OU). There is a dedicated help desk unit that is responsible for the engineering users and their desktops. This help desk group has 5 technicians and they are all members of the HD_engineering group. The HD_engineering group can be granted the ability to reset passwords for only the 25 users in the Engineering OU.

Example 2:
The human resources department is working on a new project and new software. They have hired an outside vendor to do most of the work and want to take the stress off of IT during the project. There are many groups that have been created in Active Directory for the project and software. These groups are located in the HR\Project OU. The domain administrators have placed the HR employees working on the project in a group called HR_Proj_Admins. Then, the domain administrators delegated to the HR_Proj_Admins group the ability to modify the membership of the groups located in the HR\Project OU.

What is Delegation

As you can see, delegation has some powerful uses and the fact that Active Directory provides this control is a huge benefit. However, when the delegation wizard that sets these delegations is run, what actually happens behind the scenes?

Well, the delegation wizard modifies the security permissions on the OU and subsequent objects located in the OU to allow the user(s)/group(s) to have the associated capabilities. It is similar to when you grant “Read” access to a folder so that a group can read the files located in that folder. In this case for Active Directory, it is reset password for users in the OU and modify group membership for the groups in the OU.

Figure 1 and Figure 2 show you the three permissions set on the OU for delegating resetting passwords for users in the OU.

Figure 1: Permissions set by Delegation Wizard for resetting passwords.

Figure 2: Permissions set by Delegation Wizard for resetting passwords.

You can see that Figure 1 and Figure 2 are configurations on the security tab for the OU. The permissions set at the OU level are for user accounts located in the OU and child OUs.

The Delegation Wizard Drawbacks

Although the delegation wizard has some true power behind it, there are drawbacks that make it hard to really buy into. Yes, the delegation wizard can ensure that the delegations you want are set properly, as long as you pick the correct OU, correct user(s)/group(s), and correct delegations. However, verifying that the settings are correct can be very difficult. So difficult that it is nearly impossible to verify what the delegation wizard actually does.

So, the complexity of the delegation wizard settings is the first drawback. There is nothing that reports back to you what was set through the wizard. There is a final screen that the wizard displays, but the screen does not report details, just a confirmation that the wizard is done and for you to confirm the completion of the wizard.

The second issue is that fact that the wizard cannot report on what is set on any OU or object. The wizard is simply a configuration tool, not a reporting tool. This includes both the default permissions set on all OUs and other objects, as well as the permissions that are set by the delegation wizard. Even if the permissions that you are trying to set are already in place, the delegation wizard will simply put the same permissions on top of what is already there, not reporting that the settings are already done.

The third issue with the delegation wizard is the inability to remove permissions. Let’s say that you want to delegate the resetting of passwords to the HR_PW_Reset group to the HR OU. Once this delegation is in place, you can’t remove it by using the delegation wizard. You would need to manually remove these permissions by using the Security tab on the OU.

Verifying Delegations on OUs and other AD Objects

Since the delegation wizard is a “set only” and does not provide reporting or removal of permissions, you need a solution that can perform this action. Microsoft provides you a solution which is built in to the operating system automatically. The tool is dsacls.exe and this is a command line tool. You could script it as well or put it into a batch file.

The tool is quite simple and can be run from any computer that is joined to the domain, where the tool resides. Client operating systems can also run the tool if the adminpak.msi or RSAT is installed on the appropriate client OS.

To run the tool, you just type dsacls, then add the LDAP path to the OU where you want to view the permissions. For example:

Dsacls ou=project,ou=hr,dc=adsolutions,dc=demo

This result would look like that in Figure 3.

Figure 3: Output from dsacls for an OU in Active Directory.

To analyze the permissions, you just go line by line looking for the permissions of users and/or groups that should not belong on the list. 

Summary

The delegation wizard by Microsoft is a good solution for setting permissions on AD objects, but not really that good for reporting or removing the permissions. It is also very hard to really see the permissions set on the OUs and other objects as the tool does not provide any feedback on what it sets, nor provides any insight into the current permissions. It is important to ensure that the permissions set on your OUs and objects are correct, otherwise you could be allowing for access by users that you don’t want to manage AD objects. By using dsacls, which is free and built in, you can quickly get a report of what permissions are set and then take manual actions to remove them if they are not correct. After analyzing and removing any inappropriate permissions, your AD security will be vastly enhanced.