Manipulate delegation wizard in Active Directory

Delegation Wizard is one of the great features in delegating permissions to a group or user in order to delegate the responsibility and administering of objects in Active Directory. This wizard is maintained using delegwiz.inf file in each domain controller. In this tutorial we will cover how to manipulate this wizard and add our custom tasks into the default tasks of Delegation Wizard.

Manipulating the delegation wizard is not a difficult process. Firstly you have to navigate to %systemroot% and copy the delegwiz.inf file to your desktop. We have to do this because the file is protected and you are not allowed to overwrite the file. Once you copied the file you open it using notepad and edit using the following way.

As you open the delegwiz.inf you will notice that there are nearly 13-14 predefined templates. Each of these templates is a task in delegation wizard. If you want to have a new task in default tasks of delegation wizard, you have to inject a new template to it.

Now we are going to insert a new task in default tasks of delegation wizard. In this tutorial we will allow modification of pager attribute. Each task in delegation wizard is pointed to a template in delegwiz.inf. So the very first thing to do is to append a template to the first line.

Templates = template1, template2, template3, template4

Now copy and paste the code below to the end of the file:




Description = "Create, Delete, and Manage Pager Attributes"

ObjectTypes = user




In the very last line you have to assign permissions to the attribute. Create Child (CC) and Delete Child (DC) is the most common permissions, though you can use Read Property (RP), Write Property (WP) and Full Contrll (GA).

Done! There is only one more step to do and that is saving the file and overwriting to the original location. But it is not possible! You cannot simply copy and paste the file to  %systemroot%/System32 folder because you do not have the required permissions. Just change the owner to the administrator from TrustedInstaller and assign full control permissions and then you can overwrite it.

You can open delegation wizard and verify that the new template has been added!

About Mahdi

Post Archive

Limit Active Directory user login to 1 session

Written By Mahdi Tehrani on Wednesday, 02 August 2017 10:21

The auditor of auditors: 'LepideAuditor Suite'

Written By Mahdi Tehrani on Tuesday, 23 May 2017 10:56

Protect your domain against WannaCry malware

Written By Mahdi Tehrani on Sunday, 14 May 2017 09:42

‘List Object Mode’ in Active Directory, a myth or future settings?

Written By Mahdi Tehrani on Thursday, 13 April 2017 08:47

Fix Group Policy error 1058

Written By Mahdi Tehrani on Saturday, 30 April 2016 09:32