Primary vs. Delegated DoCID
This article explains the differences between Primary and Delegated DoCIDs in Quest ActiveRoles Server, and how to determine the type.
This article applies to: Active Directory Management
Primary vs. Delegated DoCIDs
There are two types of Delegation of Control (DoC) accounts (aka DoCIDs) in Quest ARS:
Primary Admins
Primary Admins are the main administrators for an Organizational Unit (OU). The OUs in this case are “top-level” OUs such as , , , , etc.
Primary admins are given full control for most things within the “top” OUs such as creating users, groups, computers, and sub-OUs.
Additionally, by default, they are given the ability to:
- define Dynamic Groups in Quest,
- create and link Group Policy Objects (GPOs),
- enable the LAPS password reader role for AD groups,
- and most importantly, sub-delegate permissions to others within their organization.
DoC accounts for Primary Admins are created and maintained by Identity Management (IDM) and those accounts reside in an OU managed by IDM as well. Generally, there are between two and six primary admins for the “top” OUs. A list of Primary Admins is auto-generated every hour based on the current assignment of Primary Admins for each OU.
Delegated Admins
These DoC accounts are created/managed by Primary Admins, and NOT IDM. The purpose of these accounts is delegation, which is also maintained by Primary Admins.
These accounts reside inside the top-level OUs under IDs\DOCIDs OU. The delegation of permission is implemented by pre-defined Access Templates (AT) in Quest (primary admins link an existing AT to grant a specific permission such as creation of computer objects).
Delegated admins cannot sub-delegate their permissions, create dynamic groups or GPOs by default.
Determine Your DoCID Type
- Navigate to the AD Info site and login with your NetID and password.
- Search for the DoC account in the upper right corner search box, then select the DoC account on the list that comes up. There may be only one account.
- Reference the OU path at the top of the window. If it contains , then it is a Delegated DoC account.
- A Primary DoC account's OU path will show the following:
 
  
 
  
Comments?
To share feedback about this page or request support, log in with your NetID