If everyone’s an admin, no one’s in control.

Ethical Threat Insight: Active Directory Delegation Best Practices

Most AD environments I see during internal pentests are too permissive

  • Too many Domain Admins.

  • Overly permissive file shares.

I know this struggle well. I worked as an IT admin for 10+ years.

Setting up proper delegations is like creating strict firewall rules. It’s not easy or fun

But I do believe it’s necessary.

Here’s 3 rules I try to stick to when delegating permissions in AD:

  1. Least privilege - assign only the permissions that are needed and nothing more. Great in theory, harder in practice. But I would encourage you to uphold this principle at first and make exceptions when necessary.

    • Example: HelpDesk likely don’t need “FullControl” on all User Organizational Units, if all they need to be able to do is unlock accounts and reset passwords.

  2. Audit changes - don’t assume you did it right. After you’ve made changes or delegated access, review the permissions you set to ensure they are what you intended to set.

    • Example: You’ve delegated access for the Help Desk to be able to reset the password of all non-admin accounts. Use a tool like ADeleg to manually verify that’s actually the permissions that were granted.

  3. Documentation - keep track of all the custom delegations you’ve created in your environment. A simple spreadsheet will do. Doing this helps you keep track of delegations and is a central place to look when you go to make additional changes.

Delegations is a super big topic and honestly there’s a lot that can go wrong.

But if you stick to these 3 rules, I believe it will help reduce mistakes and allow you to be more intentional about the permissions you set.

Not sure who has what permissions in AD? You’re not alone.

Watch this video I made on finding insecure permissions in AD.

Active Directory Permissions You’re Probably Getting Wrong

p.s. If you ever feel like this, you need to audit AD permissions ASAP! 😅😂

We’ve all been there. It’s part of the learning process. 🙏

p.p.s. - These are the exact type of issues we look for on our internal pentest. If you’d like me and my team to pentest your environment. Give us a shout.

All the best
Spencer Alessi

Keep Reading

© 2026 Ethical Threat Insights.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv