A feature supported by Active Directory in Microsoft Windows Server. Delegation is part of the security framework of Active Directory. Along with other features such as the discretionary access control list (DACL), inheritance, and trust relationships, it enables Active Directory to be administered securely, protected from unauthorized access.
Delegation is the process of assigning permissions and rights to an object, container, or subtree of containers or organizational units (OUs) within Active Directory. These permissions and rights can be assigned for the following purposes:
Using delegation, the network administrator can distribute the job of managing an Active Directory enterprise-level implementation among a group of individuals, each with the appropriate permissions and rights to manage her or his portion of the directory.
For example, a user can be granted permissions and rights on the Users container so that he or she can create new users or modify the attributes of existing ones. In this fashion, the network administrator can be relieved of the tiresome duty of creating and configuring new user accounts by delegating the job to a junior administrator.
Delegation is designed to relieve the network administrator of the burden of managing the entire Active Directory and is an important security management feature in Windows 2000.
The Delegation of Control Wizard, which is part of the Active Directory Users and Computers administrative tool, can be used to delegate administration of portions of Active Directory to other administrators and users.
Always delegate administrative control at the level of organizational units, not at the level of individual objects. This allows you to better manage access to Active Directory because OUs are used to organize objects in the directory. One good idea is to delegate authority to those who are responsible for creating users, groups, computers, and other objects that commonly change in an enterprise.
Always assign permissions to groups instead of to individual users. Groups can be nested within one another and, together with inheritance of permissions, they provide a powerful tool for organizing the administration of Active Directory.