What is delegation of administration in Active Directory?

An IT infrastructure is typically comprised of many IT assets such as user accounts, computers, files and databases, applications and services all of which need to be administered. In such IT infrastructures, it is not possible for a handful of administrators to adequately administer all aspects of the IT infrastructure.

 

Thus, in most IT infrastructures, administrative responsibilities for managing the various IT assets that together comprise the IT infrastructure are distributed (or delegated) amongst an adequate and typically greater number of less-privileged administrators, who are then responsible for managing smaller specific portions of the IT infrastructure.

 

Delegation of administration is the act of distributing and delegating an administrative task for various aspects of IT management amongst an adequate number of administrators.

 

The act of delegating administration involves granting one or more users or Active Directory security groups the necessary Active Directory security permissions as appropriate so as to able to allow the delegated administrator to carry out these tasks.

 

In the interest of security, after delegating an administrative task, IT personnel should always also verify delegation in Active Directory, so as to be sure that the task was delegated accurately. The process of verifying a delegation in Active Directory is rather complicated but with the right Active Directory Reporting Tool, IT personnel can accomplish this task efficiently and reliably.

 

Done right, Active Directory's powerful administrative delegation capabilities let organizations securely, efficiently and cost-effectively delegate administrative authority for identity and access management in their IT infrastructures thereby reducing cost and enhancing security.

 

Source - Active Directory Security Technical Reference

How to identify and list recently Deleted Objects in Active Directory?

IT admins often need to be able to identify recently deleted objects in their Active Directory deployments. In certain cases, this might be to uncover accidental deletions, and in other cases, this might be to generate a list of all recently deleted objects for audit or compliance purposes.

 

An Active Directory object comes into existence either when Active Directory is installed, or when it is created by an IT administrator or an application. When it is no longer needed, an object can be deleted by an IT administrator or an application. When an object is deleted, it is first logically deleted for a specific interval of time to allow replication of the deletion to occur, and after this time has elapsed it is physically deleted.

 

IT administrators thus often have a need to be able to identify and list recently deleted objects in Active Directory, and there are more than one ways in which IT administrators can enumerate Deleted Objects in Active Directory

 

IT administrators who wish to query Active Directory to obtain a list of deleted objects should use the Object Identifier Control (1.2.840.113556.1.4.417) also known as the Show Deleted Object control. IT administrators can also choose to use 3rd party automated Active Directory reporting tools that provide instant and reliable reports which document all objects have been deleted in the last few days, often based on their class as well.

 

It always helps to know if there were any accidental deletions, or if any objects were recently deleted by another IT administrator, so IT administrators should always keep an eye out for deleted objects, and ensure that any accidental deletions are undone.

 

 

What does Active Directory reporting refer to?

Active Directory Reporting usually refers to the generation of security reports for identity and access management in IT infrastructures powered by Active Directory.


These reports typically cover everything domain user accounts, security groups, group policies, computers, organizational units, conainers, service connetion points, trusts and even domain security policies.

These reports can be generated in a variety of ways. Some organizations use home-grown scripts to generate these reports whereas others use 3rd party solutions to generate these reports.

For most organizations these reports constitue an integral part of their security management strategy.