Delegating administrative authority means not only sharing administrative tasks with other users, but also tightly controlling the permissions granted to each administrator. Use the principle of least privilege to assign users, including administrators, the permissions required to do their jobs, but no more.
Delegation of authority can enhance security by:
- Distributing administrative authority to one or more groups with a more narrowly defined set of responsibilities.
- Decentralizing administrative control.
- Distributing control based on security principles.
Delegating administrative authority typically involves the following processes:
- Identify administrative roles. Each role describes a specific administrative function or job.
- Identify the users who perform each role. Create groups for each role and add the users as members.
- Assign permissions to each group to enable group members to perform the tasks defined by the role.
To allow users to manage Active Directory objects and properties, such as creating users or computers, managing group membership, or resetting passwords, use the Delegation of Control wizard. Be aware that:
- The wizard can assign new permissions only. You cannot modify existing permissions using the wizard.
- The rights delegated at an OU will flow to the child OUs.
- Delegating the right to create and link Group Policy Objects (GPOs) is a two-step process.
- Run the Delegation of Control wizard at the domain or the OU where the group should be able to link GPOs. Select Manage Group Policy links in the tasks to delegate.
- Grant the user or group the rights to access the GPO container. You can either:
- Grant rights to the GPO container.
- Add users to the Group Policy Creator Owner group.
When assigning permissions to Active Directory objects:
- Assign permissions to the domain or organizational units (OUs) based on the administrative scope. For example, you might create an OU for a department, then assign permissions to that OU to a department manager.
- Assign permissions for specific object types, attributes, and tasks. For example, you might delegate the authority to manage only the password property of user objects in the OU.