Finding Delegates in Active Directory
Finding delegates in Active Directory
When using Exchange 2000/2003 there are very common situations where users define delegates in their mailboxes in order to let others manage their mailboxes. For example – a managers and his or her secretary (send of behalf).
The problem occurs when one of the employees that was configured as a delegate (for example user A) has left the company. When user B sends a meeting request for the manager, user B will receive an NDR because user A no longer exists in Active Directory, but is still configured as a delegate for user B.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
In this scenario we will use 3 users:
- Tzahi Kolber (Tkolber) as a Manager.
- Daniel Petri (Dpetri) as a Manager.
- Krystal James (Kjames) as the Secretary.
We are going to use the LDIFDE command (from the Windows 2003 Support Tools – or in the Windows 2003 CDROM). This command queries 2 attributes in the AD that can be found for every user object:
- publicDelegates – This attribute stores the user that was configured as a delegate (the secretary).
- publicDelegatesBL – This attribute stores the user his mailbox that was configured with a delegate (the manager).
As a side note, you can view these attributes by using ADSIedit.msc (also from the Windows 2003 Support Tools) and navigating to the following path:
- Domain partition.
- The relevant domain (for example DC=ms,DC=com).
- The relevant location of the user that you are looking for (for example CN=Users).
- Choose the relevant user, right-click > properties.
- Look for the relevant attribute (for example publicDelegates).
Download the Windows 2003 Support Tools
Running the LDIFDE command
In the following command I will export all the publicDelegates users and the publicDelegatesBL for users that are located in an OU called “Users”, to a text file named C:\Delegates.txt:
c:\>ldifde -f C:\delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"
-f – assigns the output to the file named C:\Delegates.txt -d – isolates OU in the directory to query -l – determines what attributes to list -r – filters for objects with any value for the attributes mentioned
You can run the command on the entire domain and not on a specific OU. If you choose to do so, use “dc=domain,dc=com” instead of “ou=users,dc=domain,dc=com”.
Lamer note: I know that the default “Users” container in AD is not an OU and therefore should be addressed as “CN=Users…”, this is just for the sake of the example.
Note: You can also use the CSVDE command instead of LDIFDE. The difference between the two commands is that CSVDE will export the results into a CSV file that can be easily viewed by Excel and further edited. The syntax is the same, just replace the LDIFDE command with CSVDE, and make the file a CSV instead of a TXT file. Interpretation of the output
What does the output file tell us?
- We can see that the user Tzahi Kolber added Krystal James as his delegate (first 4 lines).
- We can see that the user Daniel Petri added Krystal James as his delegate (middle 4 lines).
- We can see that the user Krystal James was delegated by Daniel Petri and Tzahi Kolber (last 4 lines).