Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Active Directory
        Avoiding Legacy Built-in Groups

Section(s): Active Directory
Published on May 10, 2006.
Last Modified on May 10, 2006.
Last Modified by Mitch Tulloch.
Rated 4.8 out of 5 based on 4 votes.

How you can avoid using legacy built-in groups to grant admin-level privileges.

Microsoft documentation on this isn't clear, but built-in local groups like Account Operators, Server Operators, and others found in the Builtin container of Active Directory are legacy groups that are basically only there to maintain backward compatibility with Windows NT.

If you want to grant users rights to perform certain tasks like create new accounts, reset passwords, and so on, avoid using these built-in groups and use Active Directory delegation instead. Delegation gives you greater control over which groups of users you can assign to perform different kinds of admin-level tasks, and it's easy to use as well, just right-click on an OU and select Delegate Control and a wizard opens to walk you through the process.

Cheers,
Mitch Tulloch
MVP Windows Server
http://www.mtit.com

About Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .