Active Directory tasks: To delegate or not to delegate?

James Michael Stewart, Contributor

Obviously, the ability to delegate administrative tasks to non-administrative level users is often beneficial. Being able to offload menial or low-level tasks to properly trained and eager (or conscripted) users is a bonus to any admin. However, there are numerous operations, tasks and functions that should never be delegated.

Delegating certain forest level or domain level capabilities to non-admin users can place your entire forest or domain at serious risk, including elevation of privileges and denial of service attacks. These risks can be realized at the direct malicious intent of the user as well as through inadvertent mistakes. So, don't risk it. Keep the operations in the following two lists as privileges that only the elite administrators enjoy (or are at least held responsible for).

This is a list of forest level operations that should never be delegated:

  • Installing the enterprise CA
  • Modifying forest LDAP policy settings
  • Modifying the schema
  • Managing forest-level operations master roles
  • Managing site topology
  • Managing crossRef objects

This is a list of domain level operations that should never be delegated:

  • Installation and removal of Active Directory
  • Software installation on domain controllers
  • Outbound

Requires Free Membership to View

  • trust management
  • Replication management
  • Domain-level operations master role management
  • Domain controller security policy changes
  • Domain security policy changes
  • Backup and restore operations

Overall you should limit the scope of the operations and privileges you delegate to smaller OUs and to tasks that don't directly compromise the entire domain or forest. For example, partial user management capability and file sharing management.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in June 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.