DelegationConcepts

Delegation is the process of granting users limited control over portions of Active Directory. This distributes the administrative burden of managing Active Directory to trusted users and groups in an enterprise, thus easing the workload for administrators.

Delegation Strategies

There are two ways to delegate authority over Active Directory:

Object-based delegation

One way of delegating administrative privileges in Active Directory is to assign permissions over specific types of objects contained in sites, domains, or OUs to specific users or groups. These objects can include computers, users, groups, printers, and so on. For example, an administrator could delegate Full Control permission over computer objects in an OU called Web Servers to a Webmasters global group , giving members of this group full control over the servers in their department.

Task-based delegation

Another way of performing delegation is to delegate the authority to perform a particular task for a site, domain, or OU to specific users or groups. For example, an administrator could delegate authority over a domain to a global group called CompAdmins to perform the task "Add a computer to the domain."

In addition, you can delegate the power to delegate by delegating the permission to assign permissions on objects to users and groups. By doing this, you can empower trusted users to entrust others with limited administrative privileges. This sounds like a good idea, but if not documented properly, you will soon lose track of who can do what on your network.

When delegating authority over objects or tasks , always delegate administrative authority over directory objects to groups, not to users. This simplifies Active Directory administration in the long run as your company grows and reorganizes. Nesting groups is a powerful technique that can simplify complex administration.

When choosing which directory objects to delegate authority over, note that delegating authority at the OU level is generally preferable to doing so at the site or domain level. When delegating authority at the OU level, do so at the highest level possible to take advantage of inheritance, which simplifies the assignment of Active Directory permissions. You can also override the permissions that a child object might inherit from its parent object. This is called blocking and prevents future changes to the parent's permissions from flowing to the child. Blocking makes permissions hierarchies more complicated and should be avoided unless absolutely necessary. Instead, it's better to move objects you want to block to a different OU and assign suitable permissions to that OU.