Obviously, administering an entire forest of domains can be a rather daunting task. You can assign various users the role of junior administrator by adding them to various administrative groups, but this practice may backfire in that you give up a certain level of security. The best way is to delegate certain tasks to a select number of users so as to lower the burden on you, while not giving your users too much administrative power. You can delegate control over the following objects in Active Directory:
Organizational Units (OU)
The following tutorial outlines the process of giving the user Mac N. Tosh (macn) the authority to create and manage users and groups in the North Wing (Accounting OU) in the guinea.pig domain.
Open Active Directory Users and Computers on DC01.
Expand the North Wing OU under the guinea.pig icon.
Inside the North Wing OU, right-click the Groups OU and choose Delegate Control . Hit Next .
We are asked to add the users to which we wish to delegate control. Click Add and enter the name of the user to be delegated control. For this example, we use macn . Click OK and click Next .
Make sure that Delegate the following common tasks is selected. Place checks in the boxes labeled:
Create, delete, and manage user accounts
Reset user passwords and force password change
Create, delete, and manage groups
Modify the membership of a group
Click Next and Finish .
Mac N. Tosh is now able to add users/groups and modify their Properties. He is not allowed, however, to perform other tasks such as add new child domains, run RSoP simulations, or other higher-level tasks reserved for administrators.