My IT environment is growing, and I want to delegate Domain Admin control to specific OU's. This way at each site, the admin in that location can only make changes in his site-specific OU.
In my current environment my AD is still in 2003.
How can I set this up? Is this possible in 2003 AD?
Yes it is possible in W2K3.
Create a security group for each group of administrative users.
Add the appropriate users to each group.
In ADUC, right click the appropriate OU and select "Delegate Control" from the context menu.
Add the appropriate group for the management of that OU and it's objects.
Select the option to delegate a common task or to create a custom task.
Select the tasks you want this group to be able to perform in this OU.
Yes, this is possible in Active Directory, and you can accomplish this need by using the Delegation of Administration capability to easily delegate specific tasks based on the principle of least access to the delegatees.
For example, you can delegate tasks like the ability to create user accounts, delete user accounts, reset user account passwords, unlock user accounts, etc.
There are two ways to delegate these tasks. You can either use the Delegation Wizard to delegate tasks, or if you are an advanced user, you can directly grant the minimum set of permissions needed to delegate the tasks you are interested in delegating.
For each of the above, you will need to launch ADUC, the navigate to the OUs you are interested in and then either use the Delegation Wizard (accessible via right-click) or use the ACL Editor which can be accessed from the Security Tab, which in turn can be accessed by right-clicking on the object, and selecting Properties. (Note that in order to view the Security Tab, Advanced Features must be on in ADUC.)
In case it helps, a list of the Top-20 most commonly delegated tasks in Active Directory, and the list of permissions needed to delegate those tasks can be found here.
