Finding Delegates in Active Directory

Finding delegates in Active Directory

When using Exchange 2000/2003 there are very common situations where users define delegates in their mailboxes in order to let others manage their mailboxes. For example – a managers and his or her secretary (send of behalf).
The problem occurs when one of the employees that was configured as a delegate (for example user A) has left the company. When user B sends a meeting request for the manager, user B will receive an NDR because user A no longer exists in Active Directory, but is still configured as a delegate for user B.
In this scenario we will use 3 users:

  • Tzahi Kolber (Tkolber) as a Manager.
  • Daniel Petri (Dpetri) as a Manager.
  • Krystal James (Kjames) as the Secretary.

We are going to use the LDIFDE command (from the Windows 2003 Support Tools – or in the Windows 2003 CDROM). This command queries 2 attributes in the AD that can be found for every user object:

  • publicDelegates – This attribute stores the user that was configured as a delegate (the secretary).
  • publicDelegatesBL – This attribute stores the user his mailbox that was configured with a delegate (the manager).

As a side note, you can view these attributes by using ADSIedit.msc (also from the Windows 2003 Support Tools) and navigating to the following path:

  1. Domain partition.
  2. The relevant domain (for example DC=ms,DC=com).
  3. The relevant location of the user that you are looking for (for example CN=Users).
  4. Choose the relevant user, right-click > properties.
  5. Look for the relevant attribute (for example publicDelegates).

Download the Windows 2003 Support Tools

Running the LDIFDE command

In the following command I will export all the publicDelegates users and the publicDelegatesBL for users that are located in an OU called “Users”, to a text file named C:\Delegates.txt:

​c:\>ldifde -f C:\delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"


-f – assigns the output to the file named C:\Delegates.txt -d – isolates OU in the directory to query -l – determines what attributes to list -r – filters for objects with any value for the attributes mentioned
You can run the command on the entire domain and not on a specific OU. If you choose to do so, use “dc=domain,dc=com” instead of “ou=users,dc=domain,dc=com”.
Lamer note: I know that the default “Users” container in AD is not an OU and therefore should be addressed as “CN=Users…”, this is just for the sake of the example.

After running the command, we get the next output: delegates 1 small

Note: You can also use the CSVDE command instead of LDIFDE. The difference between the two commands is that CSVDE will export the results into a CSV file that can be easily viewed by Excel and further edited. The syntax is the same, just replace the LDIFDE command with CSVDE, and make the file a CSV instead of a TXT file. Interpretation of the output

What does the output file tell us?

  1. We can see that the user Tzahi Kolber added Krystal James as his delegate (first 4 lines).
  2. We can see that the user Daniel Petri added Krystal James as his delegate (middle 4 lines).
  3. We can see that the user Krystal James was delegated by Daniel Petri and Tzahi Kolber (last 4 lines).