I am looking for any tool or PS command which will list Delegation permissions assigned to helpdesk users.
In our organisation HelpDesk user has delegation permissions so he can change Tell phone number, Job Title,email id, location etc... so his delegation rights should restricted to this much only -- but I observed that he can move users from one OU to another not checked any other rights ..
with that regards I am looking for tool or PS command so I can check user permissions and correct if any wrong permissions are assigned.
AD Delegation permissions
- 998 Views
- Last Post 01 March 2017
In certain scenarios it is often easier to delegate specific permissions to a group, then nest the role into the group. This way way you click Member of" you can see the delegation (capability). Delegating directly to a role makes it a mare to understand,
plus by creating delegation groups you only do the delegation once.
I.e. Group - reset password; Group - unlock account; Group - Create User
Then nest Service Desk into these groups.
Cloud | Identity | Security
MVP Enterprise Mobility | MCM Directory Services
Twitter | Blog | LinkedIn | Skype
Another option is the to use the DSACLS command line utility and target it at the OU. From a command prompt run:
DSACLS "OU Distinguished Name"
That will show all the permissions currently assigned to the OU (Inherited from above and those applied directly to the OU).
A move operation is basically a creation and deletion operation, so you can check who all have those permissions, if you want to narrow it down.
My working hours are from 1:00 PM to 9:00 PM IST (1:30 AM CST to 9:30 AM CST)
I'm not sure of an exact powershell command as such. But when auditing AD delegations I have always used the VB script written by Sakari Kouti. It's at the bottom of the page of the link
http://www.kouti.com/scripts.htm (AD ACL Report).
This script provides a html report of all the delegations in a domain, and there are options to tailor the report.