It is often easy to forget some of the basic benefits of complex systems. This is especially true when you spend significant efforts focusing in on the detailed configurations of a system. One of the often-overlooked basic benefits of Active Directory is delegated authority.
Delegated authority is the ability to assign administrative level rights, privileges and access to non-administrative or system-operator level users. In other words, delegated authority allows you to take advantage of the ordinary users' eagerness to gain a little power while reducing your own workload and administrative overhead.
Active Directory's delegation capabilities are made possible through the various compartments, divisions, or groupings used to establish the infrastructure design of a forest. Those groupings are: forest, tree, domain, site and organizational unit. Within each of these compartments you can assign individual administrative functions to other users. But keep in mind the granted privilege is available to them throughout the compartment and all sub-compartments (for example, granting someone a capability at a domain level grants them that capabilities in all OUs within that domain).
Delegating authority can be performed using broad strokes of granting privileges or used in a very rigid, controlled fine-tuned manner. You can grant a person the ability to manage user accounts from creation to upkeep to removal or you could grant them the ability to alter just
Delegation can be a tremendous time saver if you make the effort to grant only the privileges necessary for users to perform their newly assigned "administrative" tasks. Granting too much access to non-administrators can result in chaos, downtime and havoc (in other words, overlapping of responsibilities, misconfigured systems and management disdain at your parceling out your work tasks to others). So, plan carefully. Implement incrementally. Double-check your work. And audit the actions of your new administrative deputies.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in July 2002