Avoiding Legacy Built-in Groups

by Mitch Tulloch [Published on 10 May 2006 / Last Updated on 10 May 2006]

How you can avoid using legacy built-in groups to grant admin-level privileges.

Microsoft documentation on this isn't clear, but built-in local groups like Account Operators, Server Operators, and others found in the Builtin container of Active Directory are legacy groups that are basically only there to maintain backward compatibility with Windows NT.

If you want to grant users rights to perform certain tasks like create new accounts, reset passwords, and so on, avoid using these built-in groups and use Active Directory delegation instead. Delegation gives you greater control over which groups of users you can assign to perform different kinds of admin-level tasks, and it's easy to use as well, just right-click on an OU and select Delegate Control and a wizard opens to walk you through the process.

Mitch Tulloch
MVP Windows Server


See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links