Exchange Server

Finding Delegates in Active Directory

Finding delegates in Active Directory

When using Exchange 2000/2003 there are very common situations where users define delegates in their mailboxes in order to let others manage their mailboxes. For example – a managers and his or her secretary (send of behalf).

The problem occurs when one of the employees that was configured as a delegate (for example user A) has left the company. When user B sends a meeting request for the manager, user B will receive an NDR because user A no longer exists in Active Directory, but is still configured as a delegate for user B.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

In this scenario we will use 3 users:

  • Tzahi Kolber (Tkolber) as a Manager.
  • Daniel Petri (Dpetri) as a Manager.
  • Krystal James (Kjames) as the Secretary.

We are going to use the LDIFDE command (from the Windows 2003 Support Tools – or in the Windows 2003 CDROM). This command queries 2 attributes in the AD that can be found for every user object:

  • publicDelegates – This attribute stores the user that was configured as a delegate (the secretary).
  • publicDelegatesBL – This attribute stores the user his mailbox that was configured with a delegate (the manager).

As a side note, you can view these attributes by using ADSIedit.msc (also from the Windows 2003 Support Tools) and navigating to the following path:

  1. Domain partition.
  2. The relevant domain (for example DC=ms,DC=com).
  3. The relevant location of the user that you are looking for (for example CN=Users).
  4. Choose the relevant user, right-click > properties.
  5. Look for the relevant attribute (for example publicDelegates).

Download the Windows 2003 Support Tools

Running the LDIFDE command

In the following command I will export all the publicDelegates users and the publicDelegatesBL for users that are located in an OU called “Users”, to a text file named C:\Delegates.txt:

​c:\>ldifde -f C:\delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"


-f – assigns the output to the file named C:\Delegates.txt -d – isolates OU in the directory to query -l – determines what attributes to list -r – filters for objects with any value for the attributes mentioned

You can run the command on the entire domain and not on a specific OU. If you choose to do so, use “dc=domain,dc=com” instead of “ou=users,dc=domain,dc=com”.

Lamer note: I know that the default “Users” container in AD is not an OU and therefore should be addressed as “CN=Users…”, this is just for the sake of the example.

After running the command, we get the next output:

Note: You can also use the CSVDE command instead of LDIFDE. The difference between the two commands is that CSVDE will export the results into a CSV file that can be easily viewed by Excel and further edited. The syntax is the same, just replace the LDIFDE command with CSVDE, and make the file a CSV instead of a TXT file. Interpretation of the output

What does the output file tell us?

  1. We can see that the user Tzahi Kolber added Krystal James as his delegate (first 4 lines).
  2. We can see that the user Daniel Petri added Krystal James as his delegate (middle 4 lines).
  3. We can see that the user Krystal James was delegated by Daniel Petri and Tzahi Kolber (last 4 lines).

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: