As an alternative to using the built-in groups, you can granularly delegate permissions per OU.
There are a couple of recommended practices to keep you and your colleagues from insanity:
- Build a delegation of control model and/or authorization matrix before performing delegation of control. This way, delegation settings can be continually documented, agreed upon, and transferred to other admins without adding unnecessary complexity.
- Always use groups when delegating permissions, not individual user or computer accounts. This way, giving permissions is a matter of (temporarily) adding a user account to a group, instead of going through the Delegation of Control Wizard each time. It also makes auditing that much ...