Versions Compared

Version Old Version 5 New Version Current
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following delegations are supported by the Requests By Attribute process:

Delegation

Object Types

Description

Department

All objects

The standard delegation for Department Administrators on the Department OU. This is almost full control (without allowing adjusting permissions on OUs or the creation of user, inetOrgPerson and account objects

)  This

. This can be used to sub-delegate full control within the Department OU.

Computer

Computer

Allows the creation and deletion of computer objects and provides full control of computer objects. Allows access to LAPS passwords and BitLocker recovery information.

ComputerCreate

Computer

Allows the creation of computer objects.

ComputerDelete 

Computer

Allows the deletion of computer objects.

ComputerDenyCreate

Computer

Denies the creation of computer objects. If combined with the Computer delegation, the end result allows deletion of computer objects and provides full control of computer objects.

ComputerLAPS

Computer

Allows access to the legacy Microsoft LAPS password stored in the ms-Mcs-AdmPwd attribute on computer objects

ComputerWindowsLAPS

Computer

Allows access to the modern Windows LAPS password attributes on computer objects

ComputerBitLocker

Computer

Allows access to the BitLocker recovery information stored in a msFVE-RecoveryInformation object under the computer object. The BitLocker recovery information is only created if BitLocker escrow to Active Directory is enabled.

ComputerJoin

Computer

Allows joining a device to a pre-existing computer object. To allow the creation of computer objects and the ability to join the computer objects to the domain, apply both the Computer Create and Computer Join delegations.

ComputerRename 

Computer

Allows the renaming of computers.

Group

Groups

Provides full control on groups objects.


Allows creation and deletion of groups.

 

Allows adding and removing members.

 

Allows setting managed by.

GroupMembership

Groups

Allows only updating group memberships (add and remove members).

GroupPolicy

Organizational Units

Allows linking/unlinking of GPOs and modifying link options (enabled/disabled, enforced, order) on Organizational Units

OU

Organizational Units

Allows the creation, deletion, and rename of Organizational Units, along with editing their description.