Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Exchange Server

Finding Delegates in Active Directory

Finding delegates in Active Directory

When using Exchange 2000/2003 there are very common situations where users define delegates in their mailboxes in order to let others manage their mailboxes. For example – a managers and his or her secretary (send of behalf).

The problem occurs when one of the employees that was configured as a delegate (for example user A) has left the company. When user B sends a meeting request for the manager, user B will receive an NDR because user A no longer exists in Active Directory, but is still configured as a delegate for user B.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

In this scenario we will use 3 users:

  • Tzahi Kolber (Tkolber) as a Manager.
  • Daniel Petri (Dpetri) as a Manager.
  • Krystal James (Kjames) as the Secretary.

We are going to use the LDIFDE command (from the Windows 2003 Support Tools – or in the Windows 2003 CDROM). This command queries 2 attributes in the AD that can be found for every user object:

  • publicDelegates – This attribute stores the user that was configured as a delegate (the secretary).
  • publicDelegatesBL – This attribute stores the user his mailbox that was configured with a delegate (the manager).

As a side note, you can view these attributes by using ADSIedit.msc (also from the Windows 2003 Support Tools) and navigating to the following path:

  1. Domain partition.
  2. The relevant domain (for example DC=ms,DC=com).
  3. The relevant location of the user that you are looking for (for example CN=Users).
  4. Choose the relevant user, right-click > properties.
  5. Look for the relevant attribute (for example publicDelegates).

Download the Windows 2003 Support Tools

Running the LDIFDE command

In the following command I will export all the publicDelegates users and the publicDelegatesBL for users that are located in an OU called “Users”, to a text file named C:\Delegates.txt:

​c:\>ldifde -f C:\delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"


-f – assigns the output to the file named C:\Delegates.txt -d – isolates OU in the directory to query -l – determines what attributes to list -r – filters for objects with any value for the attributes mentioned

You can run the command on the entire domain and not on a specific OU. If you choose to do so, use “dc=domain,dc=com” instead of “ou=users,dc=domain,dc=com”.

Lamer note: I know that the default “Users” container in AD is not an OU and therefore should be addressed as “CN=Users…”, this is just for the sake of the example.

After running the command, we get the next output:

Note: You can also use the CSVDE command instead of LDIFDE. The difference between the two commands is that CSVDE will export the results into a CSV file that can be easily viewed by Excel and further edited. The syntax is the same, just replace the LDIFDE command with CSVDE, and make the file a CSV instead of a TXT file. Interpretation of the output

What does the output file tell us?

  1. We can see that the user Tzahi Kolber added Krystal James as his delegate (first 4 lines).
  2. We can see that the user Daniel Petri added Krystal James as his delegate (middle 4 lines).
  3. We can see that the user Krystal James was delegated by Daniel Petri and Tzahi Kolber (last 4 lines).

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: