Author: Santhosh Sivarajan, Microsoft MVP GitHub: https://github.com/SanthoshSivarajan/DelegationCanvas
DelegationCanvas scans every OU across all forest domains and trusts, parses the full ACL on each OU, translates every GUID to human-readable names, classifies risk, and produces a comprehensive delegation report. It also audits built-in privileged groups to identify misuse of legacy operator groups like Print Operators, Account Operators, Server Operators, and Backup Operators.
If you need to answer "who has access to what in my AD" -- this is the tool.
- Full ACL parsing on every OU across all forest domains
- GUID translation for object types, properties, and extended rights
- Explicit vs inherited permission separation
- Risk classification (Critical/High/Medium/Low) per ACE
- Human-readable permission summaries
- Cross-domain and trust delegation detection
- Top delegated principals and OUs
- Member enumeration for 10 high-risk built-in groups
- Identification of groups that should be empty but have members
- Disabled accounts still in privileged groups
- Service accounts in privileged groups
- Per-member risk flags
| Group | Expected State | Risk if Populated |
|---|---|---|
| Account Operators | EMPTY | Critical -- can create/modify users |
| Server Operators | EMPTY | Critical -- can log on to DCs |
| Print Operators | EMPTY | Critical -- can load kernel drivers on DCs |
| Backup Operators | EMPTY or minimal | Critical -- can read NTDS.dit |
| Schema Admins | EMPTY | Critical -- can modify AD schema |
| Enterprise Admins | EMPTY day-to-day | Critical -- full forest control |
| Domain Admins | 2-5 members | High if >5 |
| DnsAdmins | Tightly controlled | High -- can load DLLs on DNS/DC |
| Group Policy Creator Owners | Controlled | Medium -- can create domain GPOs |
| Administrators (builtin) | Domain Admins only | Review nested membership |
| Risk | Rights Pattern |
|---|---|
| Critical | GenericAll, WriteDACL, WriteOwner |
| High | GenericWrite, sensitive WriteProperty (member, SPN, KeyCredentialLink, RBCD), ExtendedRight on All/Replication |
| Medium | ExtendedRight (Reset Password), CreateChild, DeleteChild, WriteProperty |
| Low | ReadProperty, ReadControl, ListChildren |
- Executive Summary with counts and risk breakdown
- Domain Statistics (OUs, explicit, inherited, built-in per domain)
- High-Risk Delegations (Critical + High)
- Top Delegated Principals (who has the most permissions)
- Top Delegated OUs (delegation hotspots)
- Cross-Domain Delegations (trust-related)
- Built-In Privileged Group Audit (summary)
- Misused Built-In Groups (should be empty but aren't)
- Privileged Group Member Details (per-member risk)
- All Custom Delegations (complete table)
- Charts (7 charts)
Optimized for large environments:
[System.Collections.Generic.List[object]]instead of array append- GUID maps built once, reused across all domains
- Built-in principals filtered from main view (reduces data 60-70%)
- Table limits (500 for high-risk, 1000 for all delegations)
- Inherited permissions excluded by default (use
-IncludeInheritedto include)
# Default: explicit delegations only (recommended for large environments)
.\DelegationCanvas.ps1
# Include inherited permissions (larger report)
.\DelegationCanvas.ps1 -IncludeInherited
# Custom output path
.\DelegationCanvas.ps1 -OutputPath C:\Reports- Windows PowerShell 5.1+ or PowerShell 7+
- ActiveDirectory module (RSAT)
- Domain user account (Domain Admin or delegated read access recommended)
MIT -- Free to use, modify, and distribute.
- ADCanvas -- Active Directory documentation
- EntraIDCanvas -- Entra ID documentation
- IntuneCanvas -- Intune documentation
- ZeroTrustCanvas -- Zero Trust posture assessment
- NHICanvas -- Non-Human Identity governance
Developed by Santhosh Sivarajan, Microsoft MVP