Account Operators - A Fast Way to Delegate Control for Service Desk

One of the painful things that is always neglected but still very important is the delegation of control for service desk staff. Service desk staff need access to perform tasks in active directory, however you want to limit their actions as to what they can do. This is where delegation access lists come into play, however creating a successful delegation permission list is not an easy thing to do for most administrators and can take time to get right.

For companies that are very busy and do not have time to do this, there is a Built-In Group called Account Operators which is always overlooked by Administrators. In face this group is perfect for help desk staff, here is why:

Account Operators is a domain local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights.

After reading this I encourage you to take your help desk employees out of the Domain Admins group and add them to the Account Operators group, it will allow them to perform most elements of their service desk duties.