There should be a control over the usage of VisualCron credentials. For example a filter that is based on Visual Cron groups that would hide credentials for some users so that they are unable to pick them from the list when creating or editing a task in VisualCron.

Scenario: Single Visual Cron server is used by two teams: Active Directory Administrators and IIS administrators. VisualCron stores credentials for a user with "Enterprise Administrator" permissions in Active Directory so that AD tasks can be performed for the AD Admins. The IIS administrators use the visual cron for IIS logs management. There is no mechanism to control the access to the Enterprise Admin account credentials in Visual Cron. As a result, the IIS administrators can create VisualCron tasks which could execute as Enterprise Admin and modify AD components to which they usually have no access to.

If you can add new tab to the Credentials menu (the same as with ADD/Edit user window) with checkboxes for each existing group and each checkbox would allow the specified group to see and use the chosen credentials would work perfect. Next in every task the dropdown menu for credentials should just filter the items based on those checkboxes, that way when user is not a member of any of the allowed group for a credential would not be able to see it, chose it and use it.
This way you're not giving unlimited access for simple VisualCron admins to overpowered enterprise credentials outside the user's scope/access level.