This section describes the design for delegated administration, including an Active Directory organizational unit (OU) structure, and the associated security configurations for implementing the detailed delegated administration model used in the solution. This design is created and managed using Microsoft Provisioning System (MPS) as outlined in Build Service Provisioning
In order to lock down every object and limit access to authorized users, the delegated administration model provides support for external users in customer and reseller business entities. Thus, even if an application such as a provisioning system should attempt to violate security rules, either intentionally or through faulty logic, the proposed inherent object-level security configuration will provide security.
The Microsoft Windows operating system includes tools that you can use to manually enforce the delegated administration design; however, this documentation does not describe how to use these tools because:
Manual implementation is never a viable solution because of the resulting high level of effort and lack of consistency.
A number of settings are only available through the programmatic interface to the objects. The user tools often do not provide a way to establish some of these settings. You should use an alternative provisioning solution that can incorporate the delegated administration design.