First off — thanks for building and open-sourcing ADeleginator. The "surface only the insecure delegations" idea is exactly what's missing from ADeleg's raw output, and it's already very useful.
I ran into a problem when using it against a German-localized Active Directory, and wanted to flag it because it produces a silent false-negative ("No insecure delegations found. Eureka!") even when insecure delegations exist.
Problem
The detection relies on three hardcoded English regex lists (Invoke-ADeleginator.ps1):
$UnsafeTrustees = 'Domain Users|Authenticated Users|Everyone'
$Tier0Resources = 'Account Operators|Administrator|...|Domain Admins|...|Schema Admins|...'
On a localized DC, AD principals are written by ADeleg with their localized CN, so these patterns never match. Verified against a German lab domain (feignet.home):
| English pattern |
Localized CN in CSV |
Matches? |
Domain Users |
Domänen-Benutzer |
❌ |
Domain Admins |
Domänen-Admins |
❌ |
Enterprise Admins |
Organisations-Admins |
❌ |
Administrators |
Administratoren |
❌ |
Account/Backup/Print Operators |
*-Operatoren |
❌ |
AdminSDHolder, krbtgt, DnsAdmins |
(not localized) |
✅ |
Reproduction: delegated a dangerous right to Domänen-Benutzer (Domain Users) on a test OU → ADeleg's CSV contained the row, but ADeleginator reported "Eureka!" / no findings.
Two useful details from testing:
- Universal well-known SIDs come through in English regardless of OS locale —
Everyone was emitted literally (not Jeder), and Authenticated Users likewise. So those existing patterns are fine; only domain-relative identities (Domain Users/Admins, Enterprise/Schema Admins, Domain Controllers…) and Builtin groups need localization.
- The rights/
Details column is also always English ("Write all properties", "Change the owner", etc.), so $UnsafeDelegations needs no localization.
Possible direction
Resolve the relevant well-known SIDs to localized names at runtime and build the regex from that, e.g. SecurityIdentifier(WellKnownSidType, domainSid).Translate([NTAccount]). Happy to put together a PR along these lines if you're open to it — wanted to check first whether you'd prefer this approach or something else.
(Side note unrelated to locale: Enterprise Read-Only Domain Controllers / RODC group seems to be missing from $Tier0Resources even on English AD — could fold that in at the same time.)
First off — thanks for building and open-sourcing ADeleginator. The "surface only the insecure delegations" idea is exactly what's missing from ADeleg's raw output, and it's already very useful.
I ran into a problem when using it against a German-localized Active Directory, and wanted to flag it because it produces a silent false-negative ("No insecure delegations found. Eureka!") even when insecure delegations exist.
Problem
The detection relies on three hardcoded English regex lists (
Invoke-ADeleginator.ps1):On a localized DC, AD principals are written by ADeleg with their localized CN, so these patterns never match. Verified against a German lab domain (
feignet.home):Domain UsersDomänen-BenutzerDomain AdminsDomänen-AdminsEnterprise AdminsOrganisations-AdminsAdministratorsAdministratorenAccount/Backup/Print Operators*-OperatorenAdminSDHolder,krbtgt,DnsAdminsReproduction: delegated a dangerous right to
Domänen-Benutzer(Domain Users) on a test OU → ADeleg's CSV contained the row, but ADeleginator reported "Eureka!" / no findings.Two useful details from testing:
Everyonewas emitted literally (notJeder), andAuthenticated Userslikewise. So those existing patterns are fine; only domain-relative identities (Domain Users/Admins, Enterprise/Schema Admins, Domain Controllers…) and Builtin groups need localization.Detailscolumn is also always English ("Write all properties", "Change the owner", etc.), so$UnsafeDelegationsneeds no localization.Possible direction
Resolve the relevant well-known SIDs to localized names at runtime and build the regex from that, e.g.
SecurityIdentifier(WellKnownSidType, domainSid).Translate([NTAccount]). Happy to put together a PR along these lines if you're open to it — wanted to check first whether you'd prefer this approach or something else.(Side note unrelated to locale:
Enterprise Read-Only Domain Controllers/ RODC group seems to be missing from$Tier0Resourceseven on English AD — could fold that in at the same time.)