Computer Delegation Permissions Reports

4 Reports
About Computer Delegation Permissions Reports

Computer Delegation Permissions Reports audit the security permissions assigned to Computer objects in Active Directory. Review who has been delegated the ability to manage, modify, or control computer accounts — including inherited permissions from parent OUs and explicitly set permissions.

Permission Auditing

Review all delegation rights

Inheritance Analysis

Inherited vs explicit rights

Full Control Detection

Find over-privileged access

Example: Computer Delegation Permissions Reports in AD Reports

AD Reports Computer Delegation Permissions Reports

Available Reports

All Permissions

All delegation permissions on Computer objects. Provides a complete list of every permission entry, combining both inherited and explicitly set permissions.

Use Cases
  • Audit accounts that can manage computer objects (join/unjoin domain)
  • Identify service accounts with broad computer access
  • Workstation management delegation reviews
  • Compliance baseline for computer object permissions
Key Information
  • Computer Distinguished Name
  • Trustee account or group
  • Permission type
  • Inheritance flag and propagation scope
Inherited Permissions

Inherited delegation permissions on Computer objects. Shows permissions flowing down from parent OUs and the domain via the AD inheritance model.

Use Cases
  • Understand default permissions from the Computers container or parent OU
  • Identify computers where inheritance may grant unexpected access
  • Establish permission baseline before delegation changes
Key Information
  • Source container (origin of the inherited permission)
  • Trustee account or group
  • Permission type
  • Applied-to object class
Not Inherited (Explicit)

Explicitly set delegation permissions on Computer objects. These permissions were manually configured directly on Computer objects.

Use Cases
  • Find computers with custom management delegations
  • Detect service accounts with targeted computer permissions
  • Identify non-standard workstation access configurations
Key Information
  • Trustee account or group
  • Explicit permission type
  • Computer name and Distinguished Name
  • OU membership
Important: Explicit permissions on computer objects are often set by deployment tools or service accounts. Review regularly to prevent stale access.
Full Control

Full Control delegation permissions on Computer objects. Identifies all accounts with complete control over computer accounts, including the ability to modify, delete, and change security settings.

Use Cases
  • Identify accounts that can reset computer account passwords
  • Detect over-privileged management service accounts
  • Tier 0 privilege audit for computer objects
  • Pre-decommission access review
Key Information
  • Trustee account name and type
  • Computer name and Distinguished Name
  • OU path
  • Inheritance flag
Critical: Full Control over computer objects allows account resets and can be exploited to compromise domain-joined machines. Restrict to privileged admin accounts only.
Related Reports
General Computer Reports Computer inventory, DNS names, descriptions
Computer Kerberos Configuration Kerberos delegation for computers
See These Reports in Action

Try AD Reports free for 14 days — run any of these reports on your own Active Directory.

Download Free Trial View All Features
Back to Report Library Back to Top