Skip to main content

Cornell University

IT@Cornell

Primary vs. Delegated DoCID

This article explains the differences between Primary and Delegated DoCIDs in Quest ActiveRoles Server, and how to determine the type.

This article applies to: CornellAD

Primary vs. Delegated DoCIDs

There are two types of Delegation of Control (DoC) accounts (aka DoCIDs) in Quest ARS:

Primary Admins

Primary Admins are the main administrators for an Organizational Unit (OU). The OUs in this case are “top-level” OUs such as Research, API, AS (Arts and Sciences), EN (Engineering), VM (Vet), etc.  

Primary admins are given full control for most things within the “top” OUs such as creating users, groups, computers, and sub-OUs.

Additionally, by default, they are given the ability to:

  • define Dynamic Groups in Quest,
  • create and link Group Policy Objects (GPOs),
  • and most importantly, sub-delegate permissions to others within their organization.

DoC accounts for Primary Admins are created and maintained by Identity Management (IDM) and those accounts reside in an OU managed by IDM as well.  Generally, there are between two and six primary admins for the “top” OUs. A list of Primary Admins is auto-generated every hour based on the current assignment of Primary Admins for each OU.

Delegated Admins 

These DoC accounts are created/managed by Primary Admins, and NOT IDM. The purpose of these accounts is delegation, which is also maintained by Primary Admins.  

These accounts reside inside the top-level OUs under IDs\DOCIDs OU. The delegation of permission is implemented by pre-defined Access Templates (AT) in Quest (primary admins link an existing AT to grant a specific permission such as creation of computer objects). 

Delegated admins cannot sub-delegate their permissions, create dynamic groups or GPOs by default.

Determine Your DoCID Type

  1. Navigate to the AD Info site and login with your NetID and password.
  2. Search for the DoC account in the upper right corner search box, then select the DoC account on the list that comes up. There may be only one account.
  3. Reference the OU path at the top of the window. If it contains DelegatedObjects, then it is a Delegated DoC account.
Delegated admin properties.
  1. A Primary DoC account's OU path will show the following: Active Directory / cornell.edu / DOC / Accounts
Primary DoC account properties
GPO creation/linking permission can be given to Delegated Admins, but this has to be done by IDM because the permission for GPOs are in Active Directory and not in Quest. Separate AD group(s) should be created for delegating GPO rights.

 

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.