Active Directory delegation is great, especially if you adhere to role-based access control (RBAC). But do you know how your custom delegation is configured? Do you know if the previous administrator delegated rights? What is an easy way to find out without right-clicking each and every organizational unit (OU) in Active Directory? Easy, PowerShell.
PowerShell Script
The following script will list all delegated rights in Active Directory except if the rights are inherited. The data is then displayed in a grid, in which you can copy to Excel for documentation or further analysis.
Recommendation
Active Directory delegation should be reviewed biannually along with an Active Directory security audit. Deciphering this data can be complex and you don't want to make any mistakes when it comes to security, so reach out to a company that specializes in reviewing and analyzing this data.