2021 Annual Petri Reader Survey - We want to know what's important to you! 2021 Annual Petri Reader Survey - We want to know what's important to you!
Exchange Server

Finding Delegates in Active Directory

Finding delegates in Active Directory

When using Exchange 2000/2003 there are very common situations where users define delegates in their mailboxes in order to let others manage their mailboxes. For example – a managers and his or her secretary (send of behalf).

The problem occurs when one of the employees that was configured as a delegate (for example user A) has left the company. When user B sends a meeting request for the manager, user B will receive an NDR because user A no longer exists in Active Directory, but is still configured as a delegate for user B.

In this scenario we will use 3 users:

  • Tzahi Kolber (Tkolber) as a Manager.
  • Daniel Petri (Dpetri) as a Manager.
  • Krystal James (Kjames) as the Secretary.

We are going to use the LDIFDE command (from the Windows 2003 Support Tools – or in the Windows 2003 CDROM). This command queries 2 attributes in the AD that can be found for every user object:

  • publicDelegates – This attribute stores the user that was configured as a delegate (the secretary).
  • publicDelegatesBL – This attribute stores the user his mailbox that was configured with a delegate (the manager).

As a side note, you can view these attributes by using ADSIedit.msc (also from the Windows 2003 Support Tools) and navigating to the following path:

  1. Domain partition.
  2. The relevant domain (for example DC=ms,DC=com).
  3. The relevant location of the user that you are looking for (for example CN=Users).
  4. Choose the relevant user, right-click > properties.
  5. Look for the relevant attribute (for example publicDelegates).

Download the Windows 2003 Support Tools

Running the LDIFDE command

In the following command I will export all the publicDelegates users and the publicDelegatesBL for users that are located in an OU called “Users”, to a text file named C:\Delegates.txt:

c:\>ldifde -f C:\delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"

Explanation:

-f – assigns the output to the file named C:\Delegates.txt -d – isolates OU in the directory to query -l – determines what attributes to list -r – filters for objects with any value for the attributes mentioned

You can run the command on the entire domain and not on a specific OU. If you choose to do so, use “dc=domain,dc=com” instead of “ou=users,dc=domain,dc=com”.

Lamer note: I know that the default “Users” container in AD is not an OU and therefore should be addressed as “CN=Users…”, this is just for the sake of the example.

After running the command, we get the next output:

Note: You can also use the CSVDE command instead of LDIFDE. The difference between the two commands is that CSVDE will export the results into a CSV file that can be easily viewed by Excel and further edited. The syntax is the same, just replace the LDIFDE command with CSVDE, and make the file a CSV instead of a TXT file. Interpretation of the output

What does the output file tell us?

  1. We can see that the user Tzahi Kolber added Krystal James as his delegate (first 4 lines).
  2. We can see that the user Daniel Petri added Krystal James as his delegate (middle 4 lines).
  3. We can see that the user Krystal James was delegated by Daniel Petri and Tzahi Kolber (last 4 lines).

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.