The process of granting limited administrative authority to users over portions of Active Directory.


Delegation allows administrators to give users different levels of control over objects in Active Directory. This distributes the administrative burden of managing Active Directory to trusted users and groups in an enterprise thus easing the workload for administrators. For example, you can delegate the right to change users’ passwords to a trusted individual in your network without giving them any other administrative privileges. You can even delegate the right to delegate if you desire. In order for delegation to work properly, however, the structure of domains and OUs in Active Directory must be carefully planned.

For descriptions of the various ways of delegating authority in Active Directory, see delegation.

Planning an Active Directory Structure That Facilitates Delegation

For delegation to work well, you need to model your Active Directory structure after the different categories of administrative tasks performed or the functions that your IT staff have, not after the political or organizational chart for your company. For example, a company’s organizational chart might show the CEO as the head or root of the organizational tree, with different departments, such as HR, Sales, IT, and Finance, beneath. These departments might then have subdivisions, such as Accounts and Payroll, under Finance. This is generally not the model you should follow ...

Get Windows 2000 Administration in a Nutshell now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.