Active Directory Task Delegation To End Users

Posted October 2nd, 2013

Today I’m going to talk a little more on Active Directory administration delegation to end users, or, at least, non AD Admins. We get a lot of questions along the following lines:

“We have a thousand end users, distributed over twenty different departments. Each department has its own public folder on our file servers. Whenever someone needs access to that public folder, or a sub folder, a call is made to our service desk, and someone from IT has to add a user to a security group. That work amounts to some X hundred calls a year, and worse, it’s prone to delays and errors. Do you offer a way to delegate this work to the department itself, but in a safe and straightforward way?”

Ehhh, yeah. Or better still, yes, we do!

Let’s break this question down a bit. What you want in this case is:

  1. to delegate this work to one end user per department. Let’s call these people Department admins. They do not need extensive, or even moderate Active Directory knowledge. They only need to know how to perform the specific tasks you allow them to do.
  2. you want each department admin to only have access to his or her department. So, you want them to only see the representation of their own department in your Active Directory. In short, you want to provide, and restrict to, a specific Active Directory Entry Point.
  3. you want to restrict what they can do to the objects in their own department. So, you want to allow them to modify group memberships, but not delete objects, or create objects, or see or change access rights, or change any other properties.
  4. You don’t want anyone except the department admin to even view you Active Directory, let alone change it, with any of our tools.

Here’s how to accomplish this with ADUC Admin Plus, for, say, department ‘Sales’:

  1. Create an ADUC Admin Plus profile with the name ‘Sales’, anywhere in your Active Directory.
  2. Under ‘Application Properties/LDAP’, pick the LDAP path to the Sales Organizational Unit, and restrict to ‘given LDAP path’ or to ‘given Domain’.
  3. Under ‘Application Prohibits’, check ‘disable Profile Override’ and ‘disable Profile Creation’. Also, check the ‘disable startup of all our tools by anyone who is not a member of any profile’ checkbox.
  4. Under ‘Function Prohibits’, disable all functionality.
  5. Under ‘Attribute Prohibits’, select all properties, except ‘Member’ and ‘Member Of’.
  6. With ‘Add Profile Users’, add the sales department admin to the profile.

That’s all there is to it. The result:

- Only the department admin can start up ADUC Admin Plus (make sure, by the way, you yourself are also member of a profile, or you also can no longer startup ADUC Admin Plus from anywhere in your network).
- When the department admin starts up ADUC Admin Plus, he or she only sees the subtree of the Organizational Unit ‘Sales’.
- Within that subtree, the department admin can only view Memberships, and he or she can only change memberships.

So, not only can you safely delegate providing access to your public folders to each department, there are three subsequent advantages:


Because our tools are single executables that do not have to be installed, you don’t have to install a client application to the workstations of your department admins. You also don’t have to install and maintain a (web) application to give your department admins access to your Active Directory. You can simply provide the executable itself, or the download URL, to your department admins, and you’re up and running.


All changes made to your Active Directory by department admins are logged to an event viewer of your choice – and can be rolled back from that event viewer, by you, or, if you allow it, by the department admins themselves.


When implementing the scheme above, no changes are made to the security on your Active Directory(!!!). The only thing you are doing, is restrict the interface and functionality of ADUC Admin Plus itself. In other words, if a department admin has the right to change, say, property ‘Description’, he or she still can change that property — just not with ADUC Admin Plus.

Although we strongly advise to always trim the rights you appoint to anyone on your AD, the question is basically irrelevant. Even if you make a department admin Domain Admin by mistake, he or she can still change only what’s presented to him or her. So, if you disable the option to delete objects, he or she can still delete objects, but not with ADUC Admin Plus, because the option simply won’t be available to him or her in ADUC Admin Plus.

aducADMIN+A Powerfully Simple Active Directory Management Tool.

Download A FREE Trial

We're a software company based in Amsterdam that focuses on large-scale network management software. aducADMIN+ is our flagship product - but we also manage networks of over 20,000 users.

Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.

Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.


+31 20 893 2017