Active Directory Delegation FAQ - The How

Frequently asked HOW questions related to delegating administration in Active Directory –

1. How do I delegate administrative authority in Active Directory?

   Active Directory makes it very easy to delegate administrative authority for identity and access management. To delegate administrative authority in Active Directory, begin by identifying the three elemental aspects of delegation –

   1. Which administrative tasks you wish to delegate?

   2. Whom you wish to delegate the tasks to?

   3. What is the scope of your delegation? (It could be a single Active Directory object, or a tree thereof)

   Once you have identified the tasks, the delegates and the scope of your delegation, you should determine what permissions need to be granted to delegate these tasks, where and how these permissions should be granted, and whom they should be granted to.

   To determine what permissions to grant, see the Top-20 Delegations page. In regards to where to grant them, the general guideline is to use inheritable permissions, in which case you should grant them on the top-most object in your scope. As to whom to grant them to, you should consider creating a security group to represent a role, making all delegates members of this security group, and granting the permissions to this security group.

   For specific details on how to delegate a specific administrative task, please refer to the How To Delegate section.








Would you like to find out who is delegated what access in AD? You can, with Gold Finger from Paramount Defenses !         Free Download













2. How do I undelegate administrative authority in Active Directory?

   The process of undelegating administrative authority in Active Directory is also rather simple. To undelegate administrative authority begin by identifying the three elemental aspects of undelegation –

   1. Which administrative tasks you wish to undelegate?

   2. Whom you wish to undelegate the tasks from?

   3. What is the scope of your undelegation? (It could be a single Active Directory object, or a tree thereof)

   To determine what permissions to revoke, see the Top-20 Delegations page. In regards to where to revoke them from them, if using inheritance, you should revoke them on the top-most object in your scope. As to whom to revoke them for, if you used a security group to represent a specific instance of a role, revoke the permissions granted to that security group.

   For specific details on how to undelegate a specific administrative task, please see the How To Undelegate section.






3. How do I find out who is delegated what access in Active Directory?

   The need to know who is delegated what administrative access at any point in time is very important to security.

   In order to determine who is delegated what access in Active Directory, one needs to determine the effective resultant access (resultant set of permissions) in Active Directory, which unfortunately requires substantial expertise, time and effort.

   Many IT administrators tend to overlook the subtle pitfalls involved in correctly assessing access, which stem from the difficult challenges involved in correctly assessing access, and thus unfortunately end up with inaccurate (false) results which should not be relied upon.

   Fortunately, automated solutions are now available and offered by Microsoft security partners. Paramount Defenses Inc, a valued Microsoft security partner offers a completely automated access assessment, audit and reporting solution for Active Directory, called Gold Finger, which is endorsed by Microsoft Corporation.

   Specific details on correctly assessing delegated access can be found in the How To Assess Delegations section.








Are you trying to find out who is delegated what access in AD? You can, with Gold Finger from Paramount Defenses !         Free Download













4. How do I generate a delegation access report in Active Directory?

   Access reports can help organizations clearly assess and document delegated access grants in Active Directory.

   In order to generate an accurate delegation report, one needs to determine the effective resultant access (resultant set of permissions) in Active Directory, which unfortunately requires substantial expertise, time and effort.

   Many IT administrators tend to overlook the subtle pitfalls involved in correctly generating access reports, which stem from the difficult challenges involved in correctly assessing and reporting access, and thus unfortunately end up generating inaccurate reports, which provide a false sense of security.

   Fortunately, automated solutions are now available and offered by Microsoft security partners. Paramount Defenses Inc, a valued Microsoft security partner offers a completely automated access assessment, audit and reporting solution for Active Directory, called Gold Finger, which is endorsed by Microsoft Corporation.

   Specific details on generating accurate delegation reports can be found in the How To Report Delegations section.






5. How do I perform a security audit of access rights in Active Directory?

   Periodic Active Directory security audits are essential to operating a trustworthy Windows Server IT infrastructure.

   An audit of Active Directory security access rights essentially involves the assessment and documentation of delegated access grants in Active Directory. In order to perform an accurate audit though, one needs to determine the effective resultant access (resultant set of permissions) in Active Directory, which unfortunately requires substantial expertise, time and effort.

   Many IT administrators tend to overlook the subtle pitfalls involved in correctly auditing delegated access, which stem from the difficult challenges involved in correctly assessing and auditing access, and thus unfortunately end up performing inaccurate audits, which provide a false picture of security.

   Fortunately, automated solutions are now available and offered by Microsoft security partners. Paramount Defenses Inc, a valued Microsoft security partner offers a completely automated access assessment, audit and reporting solution for Active Directory, called Gold Finger, which is endorsed by Microsoft Corporation.

   Specific details on performing accurate security audits can be found in the How To Audit Delegations section.








Are you trying to audit delegated access in your AD? You can, with Gold Finger from Paramount Defenses !         Free Download













6. How do I verify administrative delegation grants in Active Directory?

   The verification of delegated administrative access in Active Directory is vital to ensuring and maintaining security.

   In order to verify delegated access grants in Active Directory, one needs to determine the effective resultant access (resultant set of permissions) in Active Directory, which unfortunately requires substantial expertise, time and effort.

   Many IT administrators tend to overlook the subtle pitfalls involved in correctly verifying access, which stem from the difficult challenges involved in correctly assessing access, and thus end up inaccurately verifying delegated access.

   Fortunately, automated solutions are now available and offered by Microsoft security partners. Paramount Defenses Inc, a valued Microsoft security partner offers a completely automated access assessment, audit and reporting solution for Active Directory, called Gold Finger, which is endorsed by Microsoft Corporation.

   Specific details on accurately verifying delegated access can be found in the How To Verify Delegations section.






7. How do I demonstrate compliance (SOX, HIPAA) of access rights in Active Directory?

   Demonstrating the compliance of Active Directory access rights on specific Active Directory objects is mission-critical to reliably fulfilling regulatory compliance requirements.

   In order to demonstrate the compliance of Active Directory access rights, organizations need to know exactly which objects to include in their assessment and exactly which tasks to assess the delegation of. Armed with this vital information, organizations can then proceed to assess and document (in the form of compliance reports) effective delegated access grants and furnish these reports to demonstrate compliance.

   In order to accurately assess delegated access grants though, one needs to determine the effective resultant access (resultant set of permissions) in Active Directory, which unfortunately requires substantial expertise, time and effort.

   Most IT security personnel tend to overlook the subtle pitfalls involved in correctly assessing access and thus end up inaccurately assessing delegated access. As a result, they end up generating and furnishing inaccurate (false) compliance reports, which could in fact make their organizations liable for furnishing false evidence.

   Fortunately, automated solutions are now available and offered by Microsoft security partners. Paramount Defenses Inc, a valued Microsoft security partner offers a completely automated access assessment, audit and compliance reporting solution for Active Directory, called Gold Finger, which is endorsed by Microsoft Corporation.

   Specific details can be found in the How To Demonstrate Compliance of Access Rights in Active Directory section.