Implementing Active Directory Delegation of Administration

By now everyone is running Windows Active Directory or has considered migrating to it at one time or another. With Windows NT no longer supported, it is important to understand the reasons for moving to Active Directory, so that the design and support can be considered. By far one of the most important reasons to move to Active Directory is the inclusion of Delegation of Administration for the directory service. Delegation of administration provides an opportunity to allow more users and administrators to have say in the administration of Active Directory, without giving them too much power. This provides a higher yield on the Return on Investment of Active Directory, as well as providing a more flexible mechanism for managing the enterprise objects and accounts. If you don’t know what delegation of administration is, or you have not yet implemented it, I will go into the details you need to know to implement it, as well as some design ideas to get you started.

What is Delegation of Administration?

Delegation of administration is really a fancy way of referring to establishing access control lists on organizational units and accounts in Active Directory. If we were to compare delegation of administration to a standard file and folder structure, you can see how the concept works.

Assume that you have a folder structure where there is a top level folder, with two tiers of folders under it. The top level is called Data and the two tiers under the Data folder include Departments and HRData. The Departments folder also has other subfolders including Sales, Engineering, Finance, and Executives. If you want someone from the IT department to control all files for all departments, you would configure the permissions at the Departments level. If however, you wanted a user from the HR department to control the files under the HRData folder only, you would configure the permissions on the HRData folder, thus giving them access to all files stored under it.

Delegation of Administration is similar. Let’s assume that you have a organizational unit (OU) structure such that the top level OU is named Employees and the child OUs are Departments and HRUsers. Departments also includes child OUs such as SalesUsers, EngineeringUsers, FinanceUsers, and ExecutiveUsers. If you wanted someone from the IT department to have the ability to reset the password for all employees in all departments, you would establish that delegation of administration at the Departments OU level. If however, you wanted a manager from the HR department to be able to reset the passwords for only the HR users, you would configure the delegation of administration on the HRUsers OU, thus giving them the ability to just reset passwords for these users.

As you can see, delegation of administration is designed to allow domain admins the ability to offload specific tasks, to specific users/administrators, over specific objects within the Active Directory structure.

Implementing Delegation of Administration

When you sit down to implement delegation of administration, you first need to decide on which actions you want to delegate out. Microsoft continues to add specific tasks for you to easily setup. These tasks are common tasks that most companies need to delegate out, regardless of the size of the organization. The benefit of having this prebuilt list of tasks is that you can mask the actual permissions that need to be set on the OUs.

To understand how the delegation of administration can be set, let’s look at a step-by-step on how to establish the delegation of administration that we just looked at for the resetting of passwords. The structure of OUs is shown in Figure 1.

Figure 1: Active Directory structure of organizational units

To establish the delegation of administration for the IT users to reset passwords for all employees in all departments, you need to create a group for this as a best practice. I have created a group named ITResetPasswords and placed all of the IT users that need this capability in this group. From here, you need to right click on the Departments OU and select the Delegate Control menu option, as shown in Figure 2.

Figure 2: Delegate Control menu option establishes the delegation of administration for that OU

The delegation wizard will ask you the following questions:

  1. The group that you want to give the abilities to (see Figure 3)
  2. The task that you want to delegate (see Figure 4)

Figure 3: You need to select which groups will have the ability to perform the task

Figure 4: You need to select which tasks the groups will be able to perform

After you select these two options and finish up the wizard, it appears as if nothing really happens. However, what has happened is really quite significant, considering the abundance of permissions that exist for a single OU. There are over 10,000 individual permissions that can be set for a single OU. This one delegation sets only 3 individual permissions, as shown in Figures 5 and 6.

Figure 5: Permissions set to reset password for user accounts under the OU

Figure 6: Permissions allowing user to force users to change password next time password is used

You can see by the size of the scroll bars in both Figures above that there are numerous permissions to choose from. The wizard masks this complexity by setting the correct permissions for you.

For you to configure permission for the HRResetPasswords group, which targets only the user accounts in the HRUsers OU, you need to follow the same steps. First, add the appropriate users to the HRResetPasswords group. Second, use the Delegate Control menu option at the HRUsers OU, configuring the group and task that delegates the resetting of passwords. Finally, inform the users in the group that they can now reset passwords for all users in this OU.

Designing for Delegation of Administration

From the example above, you can see that the delegation of administration is not all that hard to implement. I also hope you realize that the design of your Active Directory structure, especially considering the OU design, is the key. When you consider your design of Active Directory and OUs, you really only need to consider two primary design goals:

  • Delegation of Administration
  • Deployment of Group Policy

Beyond these two design criteria, it typically falls into a political realm. When you consider how you want to design your OUs for delegation of administration, you first need to take a step back and evaluate how you “would like” to administer objects in Active Directory. Here are some questions you need to ask regarding your administrators and helpdesk:

  1. Are users centralized in one location or distributed in different offices?
  2. Are there administrators/helpdesk staff just at corporate headquarters, or at every office?
  3. Are there some administrators/helpdesk staff that control just a single department or two, or do all administrators handle all departments?
  4. Do some administrators/helpdesk staff handle user accounts while others handle computer accounts?
  5. Do you want managers of departments to control membership in their own groups instead of calling you to manage these group members?
  6. Do you want managers of departments to control resetting passwords for users in their department instead of having those users call your staff?

Based on the answers to these questions, you can start to develop the OU design for delegation of administration. Meanwhile, you will need to consider how Group Policy will be deployed too. There might be some areas where you have a conflict between how the OUs should look for delegation of administration compared to Group Policy deployment. In these cases, you should lean the OU design to the delegation of administration, since it is not very flexible. Group Policy natively is somewhat flexible with filtering of the policies, but using a tool like PolicyMaker can even make your Group Policy deployment more flexible.


When you look at how you want to administer objects within your Active Directory design, you will want to look at delegation of administration. This powerful feature allows you to offload administration of common tasks that should really be done by the owners of the content, such as resetting passwords and modifying group membership. By using the Delegation Control wizard, you can take advantage of some of the most common tasks provided to you by Microsoft. If you want to customize your delegation of administration list, you will need to use the customization option shown in Figure 4. Regardless of the options you choose, you need to use delegation of administration in Active Directory to get the biggest bang for your buck on your Active Directory investment.

About The Author

2 thoughts on “Implementing Active Directory Delegation of Administration”

  1. Hi Derek,

    Thanks for this blow by blow article. What will be of use will be to describe how we give the users in the password reset group access to the AD management console.


  2. Solomon Pokarop Jnr


    Thanks for the article. It is much useful and educating to me and describes how well help desk supports the users in the reset group access to the ADMC.

    Many Thanks
    Best Regards
    Solomon Pokarop Jnr

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top