Windows Server 2008: Using OUs to Delegate Administration

One of the most important reasons for creating an OU structure in AD DS is for the purpose of delegating administration to a separate administrator or administrative group. AD DS allows for this level of administrative granularity in a single domain. This concept is further illustrated in this section.

A group of users can be easily granted specific levels of administrative access to a subset of users. For example, a remote IT group can be granted standard user creation/deletion/password-change privileges to its own OU. The process of delegating this type of access is quite simple and involves the following steps:

1.	In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2.	Click Next at the Welcome screen.
3.	Click Add to select the group to which you want to give access.
4.	Type in the name of the group, and click OK.
5.	Click Next to continue.
6.	Under Delegate the Following Common Tasks, choose the permissions you want—in the example shown in Figure 1—and click Next to continue. Figure 1. Choosing delegation of common tasks.
7.	For example, select Create, Delete, and Manage User Accounts, and then click Next.
8.	Click Finish to finalize the changes.

In fact, the Delegation of Control Wizard allows for an extremely specific degree of administrative granularity. If desired, an administrator can delegate a group of users to be able to modify only phone numbers or similar functionality for users in a specific OU. Custom tasks can be created and enabled on OUs to accomplish this and many other administrative tasks. For the most part, a very large percentage of all the types of administration that could possibly be required for delegation can work in this way. To use the phone administration example, follow these steps to set up custom delegation:

1.	In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2.	Click Next at the Welcome screen.
3.	Click Add to select the group to which you want to give access.
4.	Type in the name of the group, and click OK.
5.	Click Next to continue.
6.	Select Create a Custom Task to Delegate, and click Next.
7.	Under Delegate Control Of, choose Only the Following Objects in the Folder.
8.	Check Users Objects and click Next.
9.	Under Permissions, check Read and Write Phone and Mail Options, as shown in Figure 2, and click Next. Figure 2. Selecting permissions to delegate.
10.	Click Finish to finalize the changes.

The possible variations are enormous, but the concept is sound. AD DS’s capability to delegate administrative functionality to this degree of granularity is one of the major advantages inherent in Windows Server 2008 R2.