Use this wizard to delegate administrative control
As a network administrator, you can't possibly keep up with all your enterprise's IT tasks—you need to delegate administrative control to other members of your IT staff. Although you can simply turn loose a slew of administrators with instructions to deal with certain tasks, a better alternative is to use Windows 2000's Delegation of ControlWizard. This tool lets you precisely configure three important delegation aspects: the people to whom you want to give administrative powers, the objects over which you want them to have power, and the permissions these people need to perform their administrative tasks.
Who, What, and How?
Win2K lets you delegate administrative control of any Active Directory (AD) object, but the most common practice is to delegate control of an organizational unit (OU). You can give this control to a user or a group.
I've found that a practical approach is to create a group of administrators, then delegate control of an OU to that group. By following this approach, you won't need to reconfigure delegation when a user with delegated powers changes responsibilities or leaves the company. More important, using groups keeps your AD database from growing too large, which could make replication and backup more onerous than they already are. For each user to whom you assign the right to administer an object, Win2K adds an access control entry (ACE) to the object's ACL. Child objects inherit their parent object's delegation properties, so Win2K adds an ACE to the ACL of each of the parent object's child objects. At a cost of almost 100 bytes each, these ACEs can quickly eat up valuable AD database space when you delegate control to multiple individual users. When you delegate control to a group, however, Win2K adds only one ACE—for the group—to the object's ACL. Thus, you can use a group to assign control to multiple users without adding a lot of ACE data to the AD database. You can also add users to the group without adding ACEs to the object's ACL.
The Delegation of Control Wizard also lets you specify the scope of powers you give to your delegation groups. You might want to give a group the power to perform all tasks, or you might want to narrow the range of permitted tasks (e.g., give the group the power only to create New Computer objects). To give you an idea of how the wizard works, let's step through the process of delegating administrative control over an OU.
Using the Wizard
To launch the wizard, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the OU for which you want to delegate administration, then choose Delegate Control from the shortcut menu.
In the wizard's welcome message, click Next to open the Users or Groups window, then click Add to see a list of users and groups to whom you can delegate control. Type or select the appropriate name or names, click OK, then click Next.
In the Tasks to Delegate window, which Figure 1, page 100, shows, you can select one, some, or all of the listed tasks. Or you can choose the Create a custom task to delegate option, which lets you delegate complete administrative powers over specific objects in the OU. You can use this option to give your chosen group more power (being able to control objects completely is more powerful than being able to perform the listed tasks).
When you select the custom task option, clicking Next opens the Active Directory Object Type window, which Figure 2, page 101, shows. This window presents options to give your selected group total administrative control over every object in the folder (i.e., OU) or over only selected objects. You want to pass a good chunk of your workload to the administrators you've placed in the group, so I suggest that you delegate control of all the objects in the OU.