How to remove rights granted through AD DS “Delegation of Control Wizard”

In Windows Server 2008 R2 it is very easy to delegate control over particular OU or domain via “Delegation of Control Wizard” to user or a group. Just select a domain or an OU in ADUC and choose “Delegate Conrol” – the rest it’s straightforward point and click process.

But once you delegated these rights it is not so easy to view or remove them (at least you don’t have any GUI wizard for this). To view or delete delegated rights through ADUC GUI you should first enable Advanced Features in View menu (see screenshot below).


Next you access properties of domain/OU in question and look for Security tab where you can view / edit / remove delegated permissions (see screenshor below).


In case you need to revoke delegated permissions you need to use scripting / CLI to accomplish this. For example you may use following command to remove all delegated rights from specified user to specified OU:

dsacls.exe “OU=Test OU,DC=testdomain,DC=local” /r testdomaintestuser

Leave a Reply

Your email address will not be published. Required fields are marked *