Delegating Administration by Using OU Objects
Updated: April 26, 2012
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. To delegate administration by using an OU, place the individual or group to which you are delegating administrative rights into a group, place the set of objects to be controlled into an OU, and then delegate administrative tasks for the OU to that group.
Active Directory Domain Services (AD DS) enables you to control the administrative tasks that can be delegated at a very detailed level. For example, you can assign one group to have full control of all objects in an OU; assign another group the rights only to create, delete, and manage user accounts in the OU; and then assign a third group the right only to reset user account passwords. You can make these permissions inheritable so that they apply to any OUs that are placed in subtrees of the original OU.
Default OUs and containers are created during the installation of AD DS and are controlled by service administrators. It is best if service administrators continue to control these containers. If you need to delegate control over objects in the directory, create additional OUs and place the objects in these OUs. Delegate control over these OUs to the appropriate data administrators. This makes it possible to delegate control over objects in the directory without changing the default control given to the service administrators.
The forest owner determines the level of authority that is delegated to an OU owner. This can range from the ability to create and manipulate objects within the OU to only being allowed to control a single attribute of a single type of object in the OU. Granting a user the ability to create an object in the OU implicitly grants that user the ability to manipulate any attribute of any object that the user creates. In addition, if the object that is created is a container, the user implicitly has the ability to create and manipulate any objects that are placed in the container.