The Delegation request type enables a department administrator to modify permissions on an organizational unit in a department OU. A department administrator can submit a delegation request to grant or revoke one of the defined permissions sets called delegations which are detailed in the Delegations Available section below. A department administrator can request multiple delegations by submitting multiple requests. delegations. The supported delegationsare defined on the following page:
How-To - Request a Delegation via PowerShell script
...
| Expand | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
The OpenLDAP ldapmodify client can be leveraged to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Request By Attribute - Technical Details page for more information about the components of the process. Request a delegation
|
Delegations Available
The following delegations are available via REBA:
| Expand | |||
|---|---|---|---|
Delegation Name Object Types Description | |||
| Department | All objects | The standard delegation for Department Administrators on the Department OU. This is almost full control (without allowing adjusting permissions on OUs or the creation of user, inetOrgPerson and account objects) This can be used to sub-delegate full control within the Department OU. | |
| Computer | Computer | Allows the creation and deletion of computer objects and provides full control of computer objects. Allows access to LAPS passwords and BitLocker recovery information. | |
| ComputerCreate | Computer | Allows the creation of computer objects. | |
| ComputerDelete | Computer | Allows the deletion of computer objects. | |
| ComputerDenyCreate | Computer | Denies the creation of computer objects. If combined with the Computer delegation, the end result allows deletion of computer objects and provides full control of computer objects. | |
| ComputerLAPS | Computer | Allows access to the legacy Microsoft LAPS password stored in the ms-Mcs-AdmPwd attribute on computer objects | |
| ComputerWindowsLAPS | Computer | Allows access to the modern Windows LAPS password attributes on computer objects | |
| ComputerBitLocker | Computer | Allows access to the BitLocker recovery information stored in a msFVE-RecoveryInformation object under the computer object. The BitLocker recovery information is only created if BitLocker escrow to Active Directory is enabled. | ComputerJoin | Computer | Allows joining a device to a pre-existing computer object. To allow the creation of computer objects and the ability to join the computer objects to the domain, apply both the Computer Create and Computer Join delegations.
| ComputerRename | Computer | Allows the renaming of computers. | |
| Group | Groups | Provides full control on groups objects. Allows creation and deletion of groups. Allows adding and removing members. Allows setting managed by. | |
| GroupMembership | Groups | Allows only updating group memberships (add and remove members). | |
| GroupPolicy | Organizational Units | Allows linking/unlinking of GPOs and modifying link options (enabled/disabled, enforced, order) on Organizational Units | OU | Organizational Units | Allows the creation, deletion, and rename of Organizational Units, along with editing their description.
Delegation Request String
...