Check for problem in delegation model
Documentation » Delegation vulnerability
When delegating the right to create users or computers mistakes can be made which open the path to an attacker. PingCastle can scan quickly the permissions to find such vulnerability.


AD connectivity

Access to the Active Directory via a local account or an account from a trusted domain

No local requirements

PingCastle requires only the dotnet framework version 2 available starting from Windows 2000

No domain requirements

Any users can query the objects stored in the domain or the GPO objects.

Build it

The report can be generated in the interactive mode by choosing “healthcheck” or just by pressing Enter. Indeed it is the default analysis mode.

It can be run using the command:

PingCastle.exe –graph –server


The report is divided in 2 parts. The parts are described below.

The main page contains an overview of all the accounts and groups checked.

 Per categories, objectives are being shown and they have been achieved or not.

If needed, a table below indicates the details computed during the analysis



This section indicates the main findings and the associated graph can be shown when clicking on the group or user account.

 A click on detail display the compromission graph

The relation between the group or user account to monitor and the objects which can take control of it are drawn.

The read it, you have to find the root object by following the arrow object by object until you find it.

Then you have to identify the other account and understand why they are linked. The best way is to stand the mouse on a link until a notice is displayed. This notice indicates why the node has been attached.

A real life example: