Finding delegates in Active Directory
When using Exchange 2000/2003 there are very common situations where users define delegates in their mailboxes in order to let others manage their mailboxes. For example – a managers and his or her secretary (send of behalf).
The problem occurs when one of the employees that was configured as a delegate (for example user A) has left the company. When user B sends a meeting request for the manager, user B will receive an NDR because user A no longer exists in Active Directory, but is still configured as a delegate for user B.
In this scenario we will use 3 users:
- Tzahi Kolber (Tkolber) as a Manager.
- Daniel Petri (Dpetri) as a Manager.
- Krystal James (Kjames) as the Secretary.
We are going to use the LDIFDE command (from the Windows 2003 Support Tools – or in the Windows 2003 CDROM). This command queries 2 attributes in the AD that can be found for every user object:
- publicDelegates – This attribute stores the user that was configured as a delegate (the secretary).
- publicDelegatesBL – This attribute stores the user his mailbox that was configured with a delegate (the manager).
As a side note, you can view these attributes by using ADSIedit.msc (also from the Windows 2003 Support Tools) and navigating to the following path:
- Domain partition.
- The relevant domain (for example DC=ms,DC=com).
- The relevant location of the user that you are looking for (for example CN=Users).
- Choose the relevant user, right-click > properties.
- Look for the relevant attribute (for example publicDelegates).
Download the Windows 2003 Support Tools
Running the LDIFDE command
In the following command I will export all the publicDelegates users and the publicDelegatesBL for users that are located in an OU called “Users”, to a text file named C:\Delegates.txt:
c:<span class="__mozilla-findbar-search" style="padding: 0pt; background-color: yellow; color: black; display: inline; font-size: inherit;">\</span>>ldifde -f C:<span class="__mozilla-findbar-search" style="padding: 0pt; background-color: yellow; color: black; display: inline; font-size: inherit;">\</span>delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"
-f – assigns the output to the file named C:\Delegates.txt -d – isolates OU in the directory to query -l – determines what attributes to list -r – filters for objects with any value for the attributes mentioned
You can run the command on the entire domain and not on a specific OU. If you choose to do so, use “dc=domain,dc=com” instead of “ou=users,dc=domain,dc=com”.
Lamer note: I know that the default “Users” container in AD is not an OU and therefore should be addressed as “CN=Users…”, this is just for the sake of the example.
Note: You can also use the CSVDE command instead of LDIFDE. The difference between the two commands is that CSVDE will export the results into a CSV file that can be easily viewed by Excel and further edited. The syntax is the same, just replace the LDIFDE command with CSVDE, and make the file a CSV instead of a TXT file. Interpretation of the output
What does the output file tell us?
- We can see that the user Tzahi Kolber added Krystal James as his delegate (first 4 lines).
- We can see that the user Daniel Petri added Krystal James as his delegate (middle 4 lines).
- We can see that the user Krystal James was delegated by Daniel Petri and Tzahi Kolber (last 4 lines).