Learn AD in 15 Minutes a Week: AD Delegation of Authority - Delegating Administrative Control

by Jason Zandri

Welcome to the 14th installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This installment is going to cover the Windows 2000 Active Directory Delegation of Authority - Delegating Administrative Control, with a specific focus on Delegating Administrative Control to Active Directory Objects.
Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week series reviews the Windows 2000 Active Directory Delegation of Authority, with a specific focus on delegating administrative control to Active Directory objects.

Delegating Administrative Control

You can use permissions to grant administrative control to a specific user or groups of users so that they can administer a single organizational unit or an entire hierarchy of organizational units, depending on your needs and the detail of delegation your Enterprise requires.

By delegating control of the day to day administration at the organizational unit level in your domains throughout your Windows 2000 Forest to other responsible domain members and junior administrators, you allow for decentralized administrative operations closer to the worker level, and you also allow for more seasoned Administrators to concentrate on Enterprise-wide services and issues. Also, it minimizes the need to have many "all-powerful" administrators in your organization for day to day tasks such as resetting passwords and allowing permissions to printers on a given floor of a specific building.

For example, you can set the administrative control to specific users or groups and allow them only the required rights to perform a given function, such as resetting passwords, while denying them the ability to create user accounts when it is beyond the scope of their administrative role.

You can use permissions to grant administrative control to a specific user or groups of users, so that they can administer a single organizational unit or an entire hierarchy of organizational units, depending on your needs and the detail of delegation your Enterprise requires.

You can allow or deny permissions for every object in Active Directory as long as you are the owner of that object. Permissions can be set both implicitly or explicitly, and they can be allowed or denied and can be set as standard permissions or as special permissions.

[NOTES FROM THE FIELD] - Domain and Enterprise Administrators have the rights to allow or deny permissions for every object in Active Directory, in addition to any other owners that may own the objects.