Skip to content

Eguibar IT

Over a decade of expertise in Active Directory, infrastructure, and security. Deep dive into AD Tier Model, RBAC and PowerShell automation

  • Home
  • Microsoft
    • Windows Server
      • Static IPv6 Address in Windows Server
      • Windows Basic Monitoring Definition Guide
    • Active Directory
      • AD Delegation Model (RBAC) – Tier-Based Least‑Privilege Access
        • AD Delegation Model – Admin Area or Tier0
          • Building Admin Area (Tier0)
          • Delegating Admin Area (Tier0)
          • Configuring Admin Area (Tier0) with Powershell
        • Delegation Model – Servers Area or Tier1
        • Delegation Model – Sites Area or Tier2
      • Active Directory Tier Model– Secure Tier‑based Architecture
      • Role Based Access Control
      • PAW – Secure Admin Workstation for AD and Azure
      • Tier Model & Delegation Model questions
    • Hyper-V
  • AD-Paradigm
  • Other Assets
    • Network
    • TCP/IP
  • Powershell
    • Complete Housekeeping by using Powershell
      • New Random Password
      • Powershell Semi-Privileged user provisioning
      • Windows Server Core Disk Cleanup Alternative
      • Scheduled Task using gMSA
      • Managing Local Administrative Rights at Scale
      • Privileged User Management
      • Privileged Group Management
      • Privileged Computer Management
      • Semi-Privileged User Group Management
      • Privileged and Semi-Privileged Account Lifecycle
      • Service Account Management
    • Delegation Model PowerShell Scripts
      • EguibarIT PowerShell Module
      • EguibarIT.Delegation PowerShell Module AD Delegation Automation
      • EguibarIT.Housekeeping PowerShell Module for AD Housekeeping
  • AD Hyper-V LAB
    • Use Hyper-V and Powershell to provision new Virtual Machine
  • About

Group: Delegation Model

Questions raised on the AD Delegation model.

The Delegation Model is to grant controlled and specific rights to administrators, without using privileged groups as Domain Admins.

This section will make reference to all topics of the model.

Can I restrict my Administrators, Domain Admins or Enterprise Admins without a Delegation Model in place?

No. Once a user becomes member of a high privileged group, there is no technical restriction. Because of this, she or him can create/change/delete any other administrator. This is the problem with big AD implementations, which did not consider a […]

Read More

Can we delegate “exclusive” administrator tasks?

Can we delegate “exclusive” administrator tasks? Yes. Active Directory is extremely granular when referred to delegations. We can delegate the task to manage: full partition certain kind of objects within a given partition attribute sets for an object specific attributes

Read More

Can we have Split-Delegation?

Can we have Split-Delegation? Yes. A split-delegation is when 2 different teams have similar rights within the same object. This is very common and recommended to split loads within teams. A very common scenario is: the user provisioning team is […]

Read More

What it should be delegated?

What it should be delegated?   Same as the previous question, quite hard to individually response. The simplest, easiest, most common and worst thing we can do is to assign Administrator rights. We must completely ignore this approach, as is […]

Read More

To who do I need to delegate?

To who do I need to delegate?   Well, this is a very generic and difficult question to answer, or at least it is without having several more following it. We need to identify any person who is making a […]

Read More

Do I need to delegate authority?

Do I need to delegate authority? YES. 99% of AD implementations do need to delegate authority, even if a small team is administering the environment. The exception to the rule might be when ONLY 1 administrator is in place and […]

Read More

Recent Posts

  • 0 (Zero) Admin Model
  • Least Privileged Access
  • Privileged and Semi-Privileged Users
  • Segregation of Duties
  • Logical Perimetral Security

Recent Comments

No comments to show.

Archives

  • April 2018
  • November 2017
  • October 2017
  • September 2017

Categories

  • Active Directory
  • AD Tier Model
  • Delegation Model
  • Security

Copyright 2025. All rights reserved.


Back To Top