One solid benefit of Windows 2000 and Windows Server 2003 Active Directory domains over all previous Windows network directory services is the ability to delegate administrative authority over individual object attributes. No longer must you grant a user administrative group membership to grant them single-purpose administrative-level capabilities. That means that a small department head, for example, can administer the PCs in his department...
(an engineering group, perhaps) without having admin privileges.
OUs and group policy make delegation possible. You can configure delegation manually or through the Delegation of Control Wizard found in the Active Directory Users and Computers MMC console. To launch the wizard, select the OU and issue the Delegate Control command. Through this wizard you can fully customize the specific administrative level capabilities that are granted to non-administrative users.
After you've performed a delegation, you can inspect your work to ensure that you delegated control properly. Through the Active Directory Users and Computers MMC console, select View | Advanced Features. Then right-click on the delegated OU and select Properties from the context menu. On the Security tab of the resultant dialog box, click Advanced. The Permissions tab on this dialog box lists the delegated control permissions.
With some thought and planning, delegation can be used to simplify greatly the life of administrators. Granting "power users" additional capabilities and/or responsibilities may help reduce your administrative workload. For example, you could grant a user the ability to stop and restart the IIS service on the development Web server. You could even grant one person the ability to update address and phone number information on user accounts, while preventing them from changing any other aspect of a user account.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.