Active Directory tasks: To delegate or not to delegate?

While some Active Directory tasks can be performed by non-admin personnel, there are some that should never, ever be delegated.

This Content Component encountered an error

Obviously, the ability to delegate administrative tasks to non-administrative level users is often beneficial. Being able to offload menial or low-level tasks to properly trained and eager (or conscripted) users is a bonus to any admin. However, there are numerous operations, tasks and functions that should never be delegated.

Delegating certain forest level or domain level capabilities to non-admin users can place your entire forest or domain at serious risk, including elevation of privileges and denial of service attacks. These risks can be realized at the direct malicious intent of the user as well as through inadvertent mistakes. So, don't risk it. Keep the operations in the following two lists as privileges that only the elite administrators enjoy (or are at least held responsible for).

This is a list of forest level operations that should never be delegated:

  • Installing the enterprise CA
  • Modifying forest LDAP policy settings
  • Modifying the schema
  • Managing forest-level operations master roles
  • Managing site topology
  • Managing crossRef objects

This is a list of domain level operations that should never be delegated:

  • Installation and removal of Active Directory
  • Software installation on domain controllers
  • Outbound trust management
  • Replication management
  • Domain-level operations master role management
  • Domain controller security policy changes
  • Domain security policy changes
  • Backup and restore operations

Overall you should limit the scope of the operations and privileges you delegate to smaller OUs and to tasks that don't directly compromise the entire domain or forest. For example, partial user management capability and file sharing management.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in June 2004

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close