Scenario
Delegation of control in Active Directory can be very helpful when managing a large number of users from different locations. System administrators can delegate permissions to IT staff in different branches so they can manage users in their city. This is especially useful when permissions are delegated and your company doesn’t need everything centralized.
For this example, let’s consider the following: My organization is divided into three cities: Ensenada, Tijuana, and Mexicali, with the latter being the main headquarters. Each city has IT staff, and we, as IT administrators, want to delegate user responsibility to the IT staff in Tijuana and Ensenada. To do this, I’ve created a security group for each city: IT-Tijuana and IT-Ensenada. Within these groups, I’ve added the corresponding staff for each city. These groups will serve as the basis for delegating control to the desired OUs (Organizational Units).
Within Active Directory, select the desired OU and right-click, then select Delegate Control.
In the wizard, select Next.
Here, add the group you created for the selected OU. In this case, since I want to delegate control to the IT staff in Tijuana, I will select the IT-Tijuana group.
Next.
In this section, you can create different tasks to delegate. There are very specific custom tasks that you can delegate, but that won’t be the case here.
Here, I will delegate the following permissions:
Create, delete, and manage user accounts.
Reset user passwords and force them to change their passwords upon the next login.
Read all user information.
The final step will provide a summary of the tasks to be delegated to the selected group or users. If everything is correct, click Finish.
At this point, users belonging to the IT-Tijuana group will be able to manage users within the Tijuana OU. The only remaining step is to replicate these same steps for the Ensenada OU.