Friday, June 4, 2010

What are the most commonly delegated administrative tasks in Active Directory?

Active Directory provides a highly fine-grained delegation model and in fact a large number of administrative tasks can be delegated in Active Directory. In practice however, there are some administrative tasks that are delegated more often than others because they are delegatable and easy to delegate.

Here are some of the most commonly delegated administrative tasks in Active Directory -
  1. Creation and deletion of domain user accounts
  2. Resetting domain user account passwords
  3. Disabling and enabling of domain user accounts
  4. Unlocking domain user accounts
  5. Creation and deletion of domain security groups
  6. Changing domain security group memberships
  7. Changing domain security group scopes
  8. Changing domain security group types
  9. Creation and deletion of organizational units
  10. Linking and unliking of GPOs to organizational units
  11. Creation and deletion of service connection points
  12. Changing a service connection point keywords
Active Directory also provides the tools necessary to delegate and undelegate these tasks, although doing so precisely requires intimate knowledge of Active Directory ACLs and the Active Directory Security Model.