When Delegation Doesn’t Seem to Take

Delegation is a powerful feature of Active Directory that lets an administrator grant users and groups the permissions and rights needed to perform certain tasks. For example, you can delegate to a junior admin the ability to reset the passwords on any account or to view the properties of any account but not change these properties. That can free you, the senior administrator, to focus on more pressing matters.

Sometimes however delegation doesn’t work as you expect. In particular, in certain circumstances delegation won’t “take” properly and the permissions assigned by the Delegation of Control Wizard are later mysteriously revoked.

This can happen when the account you are trying to delegate to is a member of one of the protected groups i.e. Domain Admins, Server Operators, Backup Operators, and similar built-in groups. These groups are themselves designed to facilitiate delegation by automatically granting certain user rights to any account that belongs to them as a member. But the Delegation of Control Wizard works differently, and the permission and rights assigned to an account by this wizard are enforced once an hour by a special thread running on the PDC Emulator, the big kahuna of domain controllers on your network. So what happens is that if you delegate some task to Bob, and Bob is a member of Backup Operators (either explicitely or through nesting of some other group Bob belongs to), and if the delegation of the task to Bob assigns permissions or rights that conflict with the implicit permissions and rights granted to any member of Backup Operators, then in less than an hour you’re likely to see Bob’s delegation revoked and Bob unable to perform the task you delegated to him.

Watch out for this. You can avoid this problem by not using the protected groups at all, except for the high-level ones of Enterprise, Schema and Domain Admins. If you do choose to use the Operators groups however, then make sure you carefully check the group membership (explicit and nested) of a user or group before you delegate a task to them using the Delegation of Control Wizard.

Final caveat: this tip applies to AD in Windows 2000 SP4 or later, and Windows Server 2003.

Mitch Tulloch (MVP Windows Server) is a well-known industry expert in Windows administration and security and author of fourteen books including the Microsoft Encyclopedia of Networking, the Microsoft Encyclopedia of Security, Windows Server Hacks and IIS6 Administration. Mitch is based in Winnipeg, Canada and is President of MTIT Enterprises, an IT content development company. You can find more information about him on his website www.mtit.com

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top