Friday, June 4, 2010

What are the most commonly delegated administrative tasks in Active Directory?

Active Directory provides a highly fine-grained delegation model and in fact a large number of administrative tasks can be delegated in Active Directory. In practice however, there are some administrative tasks that are delegated more often than others because they are delegatable and easy to delegate.

Here are some of the most commonly delegated administrative tasks in Active Directory -
  1. Creation and deletion of domain user accounts
  2. Resetting domain user account passwords
  3. Disabling and enabling of domain user accounts
  4. Unlocking domain user accounts
  5. Creation and deletion of domain security groups
  6. Changing domain security group memberships
  7. Changing domain security group scopes
  8. Changing domain security group types
  9. Creation and deletion of organizational units
  10. Linking and unliking of GPOs to organizational units
  11. Creation and deletion of service connection points
  12. Changing a service connection point keywords
Active Directory also provides the tools necessary to delegate and undelegate these tasks, although doing so precisely requires intimate knowledge of Active Directory ACLs and the Active Directory Security Model.


  1. This comment has been removed by the author.

  2. Hi James,

    Hope you are well and that work's going well. Hey, I might have found something you might find quite valuable.

    Came across an Active Directory report tool called Gold Finger, that had these access reports which could be used to determine who is delegated what access in Active Directory.

    Since you're focused on delegation in AD, thought it might be helpful to you.

    If you get a chance to try it or review it, I'd be interested in your thoughts on it.