Finding Delegates in Active Directory
Finding delegates in Active Directory
When using Exchange 2000/2003 there are very common situations where users define delegates in their mailboxes in order to let others manage their mailboxes. For example – a managers and his or her secretary (send of behalf).
The problem occurs when one of the employees that was configured as a delegate (for example user A) has left the company. When user B sends a meeting request for the manager, user B will receive an NDR because user A no longer exists in Active Directory, but is still configured as a delegate for user B.
In this scenario we will use 3 users:
- Tzahi Kolber (Tkolber) as a Manager.
- Daniel Petri (Dpetri) as a Manager.
- Krystal James (Kjames) as the Secretary.
We are going to use the LDIFDE command (from the Windows 2003 Support Tools – or in the Windows 2003 CDROM). This command queries 2 attributes in the AD that can be found for every user object:
- publicDelegates – This attribute stores the user that was configured as a delegate (the secretary).
- publicDelegatesBL – This attribute stores the user his mailbox that was configured with a delegate (the manager).
As a side note, you can view these attributes by using ADSIedit.msc (also from the Windows 2003 Support Tools) and navigating to the following path:
- Domain partition.
- The relevant domain (for example DC=ms,DC=com).
- The relevant location of the user that you are looking for (for example CN=Users).
- Choose the relevant user, right-click > properties.
- Look for the relevant attribute (for example publicDelegates).
Download the Windows 2003 Support Tools
Running the LDIFDE command
In the following command I will export all the publicDelegates users and the publicDelegatesBL for users that are located in an OU called “Users”, to a text file named C:\Delegates.txt:
c:\>ldifde -f C:\delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"
-f – assigns the output to the file named C:\Delegates.txt -d – isolates OU in the directory to query -l – determines what attributes to list -r – filters for objects with any value for the attributes mentioned
You can run the command on the entire domain and not on a specific OU. If you choose to do so, use “dc=domain,dc=com” instead of “ou=users,dc=domain,dc=com”.
Lamer note: I know that the default “Users” container in AD is not an OU and therefore should be addressed as “CN=Users…”, this is just for the sake of the example.
Note: You can also use the CSVDE command instead of LDIFDE. The difference between the two commands is that CSVDE will export the results into a CSV file that can be easily viewed by Excel and further edited. The syntax is the same, just replace the LDIFDE command with CSVDE, and make the file a CSV instead of a TXT file. Interpretation of the output
What does the output file tell us?
- We can see that the user Tzahi Kolber added Krystal James as his delegate (first 4 lines).
- We can see that the user Daniel Petri added Krystal James as his delegate (middle 4 lines).
- We can see that the user Krystal James was delegated by Daniel Petri and Tzahi Kolber (last 4 lines).
More in Exchange Server
M365 Changelog: Get-AdvancedThreatProtectionDocumentReport and Get-AdvancedThreatProtectionDocumentDetail to be retired
May 24, 2022 | Petri Staff
M365 Changelog: (Updated) Microsoft Defender for Office 365: Updates to URL Protection Report
May 24, 2022 | Petri Staff
M365 Changelog: Safe Links Global Settings Migrated to Custom Policies
May 20, 2022 | Petri Staff
Microsoft to Ship Some Exchange Server Security Updates in .EXE Packages
May 11, 2022 | Rabia Noureen
M365 Changelog: Exchange Transport Rule Report moving to the new Exchange Admin Center (EAC) from the Security and Compliance Center
Apr 22, 2022 | Petri Staff
Hive Ransomware Group Attacks Vulnerable Microsoft Exchange Servers
Apr 22, 2022 | Rabia Noureen
Most popular on petri