The primary reason to create organizational units is to distribute administrative tasks across the organization by delegating administrative control to other administrators. Delegation is especially important when a decentralized administrative model is developed. Delegation of administration is the process of decentralizing the responsibility for managing organizational units from a central administrator to other administrators. The ability to establish access to individual organizational units is an important security feature in Active Directory. Users can control access to the lowest level of an organization without having to create many active directory domains.
Authority delegated at the site level will likely span domains or conversely, may not include targets in the domain. Authority delegated at the domain level will affect all objects in the domain. Authority delegated at the organizational unit level can affect that object and all of its child objects or just the object itself.
Delegation of control is the ability to assign the responsibility of managing Active Directory objects to another user, group, or organization. By delegating control, the need for multiple administrative accounts that have broad authority can be eliminated. Delegated administration in Active Directory helps ease the administrative burden of managing a network by distributing routine administrative tasks to multiple users. Basic delegated rights can be given to normal users, like create a user account or group account etc. and major domain-wide administration work can be delegated to senior/junior level administrator.
Autonomy is the ability of administrators in an organization to independently manage:
- All or part of service management (called service autonomy).
- All or part of the data in the active directory database or member computers that are joined to the directory (called autonomy).
Common Administrative Tasks
Administrators routinely perform the following tasks in active directory:
- Change properties on a particular container. For example, when a new software package is available, administrators may create a group policy that controls software distribution.
- Create and Delete objects of a specific type. In an organizational unit, specific types may include users, groups, and printers. When the new employee joins the organization, for example, a user account is created for the employee and then the employee is added to the appropriate organizational unit or group.
- Update specific properties on specific object types. In an organizational unit, this is perhaps the most common administrative task performed. Updating properties include tasks such as resetting passwords and changing an employee’s personal information, such as his/her home address and phone number, when he/she moves.
Delegation of Administrative Control
Use the delegation of control wizard to delegate administrative control of active directory objects such as organizational units. By using the wizard, users can delegate common administrative tasks such as creating, deleting, and managing user accounts.
To delegate common administrative tasks for an organizational unit, perform the following steps:
- Start the delegation of control wizard by performing the following steps:
- Open Active Directory Users and Computers.
- In the console tree, double click the domain node.
- In the details menu, right click the organizational unit, click delegate control, and click next.
- Select the users or group to which common administrative tasks will be delegated. To do so, perform the following steps:
- On the Users or Groups page, click Add.
- In the select Users, computers, or Groups, write the names of the users and groups to which control of the organizational unit has to be delegated, click OK and next.
- Assign common tasks to delegate. To do so, perform the following common tasks:
- On the tasks to delegate page, click delegate the following common tasks.
- On the tasks to delegate page, select the tasks to be delegated and click OK.
- Click Finish.
Customizing Delegated Administrative Control
In addition to using the delegation of control wizard to delegate a custom set of administrative tasks such as the creation, deletion, and management of user accounts, use the wizard to select a set of custom tasks and delegate control of only those tasks.
For example, users can delegate control of all existing objects in an organizational unit and any new objects that are added or select the objects in the organizational unit to delegate administrative control of, such as only user objects in an organizational unit. Users can also specify that they want to delegate only the creation of the selected objects, the deletion of the object, or both.
To delegate custom administrative tasks for an organizational unit, perform the following steps:
- Start the Delegation of Control Wizard.
- Select the users or groups to which administrative tasks will be delegated.
- Assign the custom tasks to delegate. To do this, perform the following steps:
- On the Tasks to Delegate page, click Create a custom task to delegate and click next.
- On the Active Directory Object Type page, select one of the following tasks:
- Click This folder, existing objects in this folder, creation of new objects in this folder, and click next.
- Click Only the following objects in the folder, select the Active Directory object type that will delegate control, and click next.
- Select the permissions to be delegated and click next.
- Click Finish.