Delegating Administration by Using OU Objects

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use organizational units to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. To delegate administration by using an OU, place the individual or group to which you are delegating administrative rights into a group, place the set of objects to be controlled into an OU, and then delegate administrative tasks for the OU to that group.

Active Directory enables you to control the administrative tasks that can be delegated at a very detailed level; for example, you can assign one group full control of all objects in an OU; assign another group the rights only to create, delete, and manage user accounts in the OU; and assign a third group the right only to reset user account passwords. You can make these permissions inheritable so that they apply to not only a single OU, but also any OUs that are placed in subtrees of the OU.

Default OUs and containers are created during the installation of Active Directory and are controlled by service administrators. It is best if service administrators continue to control these containers. If you need to delegate control over objects in the directory, create additional OUs and place the objects in these OUs. Delegate control over these OUs to the appropriate data administrators. This makes it possible to delegate control over objects in the directory without changing the default control given to the service administrators.

The forest owner determines the level of authority that is delegated to an OU owner. This can range from the ability to create and manipulate objects within the OU to only being allowed to control a single attribute of a single type of object in the OU. Granting a user the ability to create an object in the OU implicitly grants that user the ability to manipulate any attribute of any object that the user creates. In addition, if the object that is created is a container, then the user implicitly has the ability to create and manipulate any objects that are placed in the container.