Group Delegation Permissions Reports

4 Reports
About Group Delegation Permissions Reports

Group Delegation Permissions Reports audit the security permissions assigned to Group objects in Active Directory. Review who has been granted access to manage, modify, or control groups — including inherited permissions from parent containers and explicitly set permissions.

Permission Auditing

Review all delegation rights

Inheritance Analysis

Inherited vs explicit permissions

Full Control Detection

Identify over-privileged access

Example: Group Delegation Permissions Reports in AD Reports

AD Reports Group Delegation Permissions Reports

Available Reports

All Permissions

All delegation permissions on Groups. Provides a complete list of every permission entry on Group objects, combining both inherited and explicitly set permissions for a comprehensive security view.

Use Cases
  • Audit who can manage group membership and attributes
  • Detect unauthorized delegation of group administration
  • Prepare for Role-Based Access Control (RBAC) reviews
  • GDPR compliance for groups handling personal data
Key Information
  • Group Distinguished Name
  • Trustee account or group
  • Permission type
  • Inheritance status and object class scope
Inherited Permissions

Inherited delegation permissions on Groups. Shows permissions that flow down from parent OUs, the domain, or other containers via the AD inheritance model.

Use Cases
  • Verify default inherited permissions align with security policy
  • Identify groups where parent-OU delegations may grant unexpected access
  • Establish baseline for new group structures
Key Information
  • Source container (origin of the inherited permission)
  • Trustee account or group
  • Permission type
  • Propagation scope
Not Inherited (Explicit)

Explicitly set delegation permissions on Groups. These permissions were manually configured directly on Group objects, overriding or supplementing inherited permissions.

Use Cases
  • Track custom group administration delegations
  • Identify non-standard access grants
  • Change detection for compliance auditing
Key Information
  • Trustee account or group
  • Explicit permission type
  • Group name and scope (global/universal/domain-local)
  • Object class restriction
Pro Tip: Explicit permissions are the most important to review, as they represent intentional delegation decisions that may need periodic revalidation.
Full Control

Full Control delegation permissions on Groups. Identifies all accounts and groups that have been granted complete control over Group objects, including the ability to modify membership and security settings.

Use Cases
  • Identify who can add/remove members from any group
  • Detect over-privileged service accounts
  • Enforce principle of least privilege for group management
  • Security groups and admin group access review
Key Information
  • Trustee account name and type
  • Group name and Distinguished Name
  • Group scope and type (security/distribution)
  • Inheritance flag
Critical: Full Control over a group means the trustee can change its membership — including adding themselves to privileged groups like Domain Admins.
Related Reports
General Group Reports All groups, types, scopes, members
Nested Group Membership Nesting analysis and circular detection
See These Reports in Action

Try AD Reports free for 14 days — run any of these reports on your own Active Directory.

Download Free Trial View All Features
Back to Report Library Back to Top