How do I Delegate Administrator Privileges in Active Directory?

The primary reason to create organizational units is to distribute administrative tasks across the organization by delegating administrative control to other administrators. Delegation is especially important when you develop a decentralized administrative model. Delegation of administration is the process of decentralizing the responsibility for managing organizational units from a central administrator to other administrators. The ability to establish access to individual organizational unit is an important security feature in Active Directory. You can control access to the lowest level of an organization without the necessity of creating many active directory domains.


Authority delegated at the site level will likely span domains or conversely, may not include targets in the domain. Authority delegated at the domain level will affect all objects in the domain. Authority delegated at the organizational unit level can affect that object and all of its child objects, or just the object itself.

Delegation of control is the ability to assign the responsibility of managing Active Directory objects to another user, group, or organization. By delegating control you can eliminate the need for multiple administrative accounts that have broad authority. Delegated administration in Active Directory helps ease the administrative burden of managing your network by distributing routine administrative tasks to multiple users. Basic delegated rights can be given to normal user like create a user account or group account etc and major domain-wide administration work can be delegated to senior/junior-level administrator.

Autonomy is the ability of administrators in an organization to independently manage:

All or part of service management (called service autonomy).
All or part of the data in the active directory database or member computers that are joined to the directory (called autonomy).
Common Administrative Tasks
Administrators routinely perform the following tasks in active directory:

Change properties on a particular container: For example, when a new software package is available, administrators may create a group policy that controls the distribution of the software.
Create and Delete objects of a specific type: In an organizational unit, specific types may include users, groups, and printers. When the new employee joins the organization, for example, you create a user account for the employee and then add the employee to the appropriate organizational unit to group.
Update specific properties on object of a specific type: In an organizational unit, perhaps the most common administrative task that you perform, updating properties include tasks such as resetting passwords and changing an employee's personal information, such as his home address and phone number, when he moves.
Delegation of Administrative Control
You can use the delegation of control wizard to delegate administrative control of active directory objects, such as organizational units. By using the wizard, you can delegate common administrative tasks, such as creating, deleting, and managing user accounts.

To delegate common administrative tasks for an organizational unit, perform the following steps:

Start the delegation of control wizard by performing the following steps:
Open Active Directory Users and Computers.
In the console tree, double click the domain node.
In the details menu, right click the organizational unit, click delegate control, and click next.
Select the users or group to which you want to delegate common administrative tasks. To do so, perform the following steps:
On the Users or Groups page, click Add.
In the select Users, computers or Groups, write the names of the users and groups to which you have to delegate control of the organizational unit, click OK. And click next.
Assign common tasks to delegate. To do so perform the following common tasks.
On the tasks to delegate page, click delegate the following common tasks.
On the tasks to delegate page, select the tasks you want to delegate, and click OK.
Click Finish.
Customizing Delegated Administrative Control
In addition to using the delegation of control wizard to delegate a custom set of administrative tasks. Such as the creation, deletion, management of user accounts, you can use the wizard to select a set of custom tasks and delegate control of only those tasks.

For example, you can delegate control of all existing objects in an organizational unit and any new objects that are added, or you can select the objects in the organizational unit that you want to delegate administrative control of, such as only user objects in an organizational unit. You can also specify that you want to delegate only the creation of the selected objects, or the deletion of the object, or both.

To delegate custom administrative tasks for an organizational unit, perform the following steps:

Start the Delegation of Control Wizard.
Select the users or groups to which you want to delegate administrative tasks.
Assign the custom tasks to delegate. To do this, perform the following steps:
On the Tasks to Delegate page, click on Create a custom task to delegate, and click next.
On the Active Directory Object Type page, select one of the following tasks:
Click This folder, existing objects in this folder and creation of new objects in this folder, and click next.
Click Only the following objects in the folder, select the Active Directory object type that you want to delegate control, and click next.
Select the permissions that you want to delegate, and click next.
Click Finish.