How to Undelegate an Administrative Task in Active Directory

Step-by-step instructions on how to undelegate an administrative task in Active Directory

   To undelegate a previously delegated administrative in Active Directory, enact the following steps –

1. Open the Active Directory Users and Computers Snap-in (Click Start, then click Run, then type dsa.msc and hit Enter.)

2. Click on the View option in the Menu bar and make sure that the Advanced Features is selected (i.e. it is tick-marked).

3. If the task to undelegate was delegated on a specific object, such as a user account or a security group, navigate to the object. If the task to undelegate was delegated on a collection of objects, such as all user accounts in an OU, navigate to the container or OU object on which permissions were specified to delegate the task.

4. Right-click on the object and select Properties.
5. Navigate to the Security Tab by clicking on it.
6. Click the Advanced button to open the Advanced Security Settings pane.
7. Determine what permissions were specified (and to which user, group or computer) to delegate the task.
   
   
   NOTE: For a list of common delegations, see the Top-20 delegations page of this website. For a comprehensive list, refer to Appendix A of Microsoft's official whitepaper on delegating administrative access in Active Directory.
8. Scroll through the list of access control entries (ACEs) to visually identify the combination of specified permissions and the user, group or computer to which they were specified, in the Permission entries section of the Advanced Security Settings pane.
   
   
   CAUTION: Over time, multiple IT admins may have specified multiple permissions for multiple users, computers or groups, and so there may very well be more than one entry that effectively delegates this task to numerous users. It is imperative that you consider each entry that could influence the delegation wish you to undelegate.
   
   In effect, to reliably undelegate a task you need to know which ACEs are effectively enabling the delegation.
9. After the relevant permissions and user, group or computer combinations have been identified, proceed to highlight them by clicking on them and then click the Remove button to remove these permission combinations.
   
   
   NOTE: In certain cases, you may wish to only undelegate the task for a subset of individuals. In this case you may have to open on Advanced Security Settings pane and modify the User, computer or group entry appropriately to reflect the desired changes.
10. Click the Okay button to return to the object's Security tab of the Properties pane.
11. Click the Okay button to return to Active Directory Users and Computers main application panel
12. Verify that in fact administrative authority has been precisely delegated, meaning that –
    
    
    1. All users whom you intended to undelegate the administrative task from, can no longer carry out the task.
    2. Only those users whom you intended to undelegate the task from, and none other, can no longer enact the task.
    3. All users whom you intended to undelegate the administrative task from, can no longer carry out the task, but that they can continue to carry out all other priorly delegated tasks.
    WARNING: No administrative undelegation should be considered complete until it has been accurately verified.
    
    To learn how to verify an undelegation, please see the How to Verify Delegated Access in AD section of this website.