Microsoft AD - Add/Remove Delegate Control Tasks to/from Assets
- 20 Mar 2025
- 2 Minutes to read
- Print
- DarkLight
- PDF
Microsoft AD - Add/Remove Delegate Control Tasks to/from Assets
- Updated on 20 Mar 2025
- 2 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Microsoft AD - Add/Remove Delegate Control Tasks to/from Assets adds a delegate control task to or removes a delegate control task from:
- Assets returned by the selected query or assets selected on the relevant asset page.
A Delegate Control task refers to the process of assigning a range of administrative tasks to users, groups and other entities.
See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.
Note:
- Not all asset types are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
Required Fields
These fields must be configured to run the Enforcement Set.
- Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
- Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
- Hostname - A domain controller with WinRM access.
- User Name and Password - Credentials to access the domain controller with WinRM access.
- Target Distinguished Name - The object that is the target of the delegate control task, for example: user, group, organizational unit, domain, etc.
- Delegate Control Task - From the dropdown list of permissions, select the permission to add or remove.
- Role - From the dropdown list of roles, select the role to add or remove.
- Action Type - Add or Remove.
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.
Example
If the assets selected in the query are Users, and the following parameters are selected:
- Target Distinguished Name - Users
- Delegate Control Task - Change Password
- Role - WriteOwner
- Action Type - Add
Then, this Enforcement Action will add to all Users a WriteOwner role and a Change Password permission, and users will be the target of the delegate control task. Meaning, this Enforcement Action assigns users a role and a permission to change password to other users.
Additional Fields
- Gateway Name - Select the Gateway through which to connect to perform the action.
APIs
Axonius uses the following Microsoft PowerShell APIs:
Required Ports
Axonius must be able to communicate to the WinRM service via the following ports:
- 5985 or 5986
Required Permissions
The stored credentials, or those provided in Connection and Credentials, must have the following permission(s) to perform this Enforcement Action:
- Permission to run the following PowerShell commands:
- Get-ADObject
- Get-ADDomain
- Get-Acl
- Set-Acl
For more details about other Enforcement Actions available, see Action Library.
Was this article helpful?