Tag Archives: AD DS

How to remove rights granted through AD DS “Delegation of Control Wizard”

In Windows Server 2008 R2 it is very easy to delegate control over particular OU or domain via “Delegation of Control Wizard” to user or a group. Just select a domain or an OU in ADUC and choose “Delegate Conrol” – the rest it’s straightforward point and click process.

But once you delegated these rights it is not so easy to view or remove them (at least you don’t have any GUI wizard for this). To view or delete delegated rights through ADUC GUI you should first enable Advanced Features in View menu (see screenshot below).


Next you access properties of domain/OU in question and look for Security tab where you can view / edit / remove delegated permissions (see screenshor below).


In case you need to revoke delegated permissions you need to use scripting / CLI to accomplish this. For example you may use following command to remove all delegated rights from specified user to specified OU:

dsacls.exe “OU=Test OU,DC=testdomain,DC=local” /r testdomaintestuser

Please follow and like us:

AD DS design models

Just a note on most common AD DS design models. As with any design best practice is to start with simpliest and plain solution and add complexity only if absolutely necessary. There are 7 major AD DS design models:\n\n- Single domain model (simpliest)\n\n- Multiple domain model\n\n- Multiple trees in a single forest model\n\n- Federated forests design model\n\n- Peer-root model\n\n- Placeholder domain model\n\n- Special-purpose domain model

Please follow and like us:

How To: Get AD DS group membership for specific user (with filtering by part of group name)

In order to get AD DS group membership for specific user (with filtering by part of group name) you may use PowerShell (don’t forget import Active Directory module by issuing import-module activedirectory before running below’s example):


Get-ADPrincipalGroupMembership USERNAME | select name | where-object {$_.name -like “*PART_OF_GROUP_NAME*”}

Substitute USERNAME and PART_OF_GROUP_NAME with appropriate values. If you issue just Get-ADPrincipalGroupMembership USERNAME you will get list of all groups in which specified user included (could be long list in large environments).

Similarly you may use Get-ADGroupMember GROUPNAME to get a list of all members for specified group or if you add condition as follows:


Get-ADGroupMember GROUPNAME  | select name | where-object {$_.name -like “*PART_OF_USER_NAME*”}

You will get this user(s) if any included in this group.

Of course you may use old-fashioned net user /domain USERNAME for the same purpose but it tends to truncate long groupnames and output formatting / manipulations possibilities by far less flexible.

Please follow and like us:

AD DS: Tombstone Lifetime

What is it?\n\nThombstone interval is a preconfigured period for AD objects since their last validation of being active. Default value in Windows Server 2008 R2 – 60 days.\n\nFull list of default values:\n\nWindows Version Default TSL\n—————————————-\nWindows Server 2000 – 60 days\nWindows Server 2003 – 60 days\nWindows Server 2003 SP1 – 180 days\nWindows Server 2003 R2 – 60 days\nWindows Server 2003 R2 SP2 – 180 days\nWindows Server 2008 – 180 days\nWindows Server 2008 R2 – 180 days\nWindows Server 2012 – 180 days\nWindows Server 2012 R2 – 180 days (not confirmed)\n\n(thanks for this data goes to Mathias R. Jessen, see his answer to this question on servefault.com)\n\nHow to check current setting?\n\nYou can do it with dsquery command:\n\ndsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=" –scope base –attr tombstonelifetime\n\nHow to change?\n\nUse ADSI edit and change tombstoneLifetime value of Directory Service object. Directory Service object reside in configuration partition of AD forest (CN=Configuration,CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=domain, DC=com).\n\nWhy shoud I care?\n\nThis interval is used to prevent introduction of lingering objects into your AD DS when you perfroming restore. If you need to restore global catalog then time of your backup should not exceed tombstone interval for successful restore. So if you need to do a restore of AD objects older than 60 days, you should change your tombstone interval setting accordingly.

Please follow and like us: