Administrators can delegate control based on OUs. This will provide control to individuals or groups to manage objects within OUs.
In my demo, I am going to provide delegated control for Asia IT Team members to manage objects under the Asia OU:
- To do that, log in to the domain controller as the Domain Admin and open ADUC. Then, right-click on the relevant OU and click on Delegate Control...:
- Then, it will open up the wizard; there, select the individuals or group that you'd like to provide delegated control to. In this demo, this is Asia IT Team (REBELADMINAsia IT Team):
- In the next window, system will provide the option to select what kind of control to provide. These are sets of permissions predefined by Microsoft, and they cannot be changed. But it also provides the option to create custom tasks. After selecting the options needed, click Next to proceed:
- After the wizard completes configuration, the team will have delegated control over the objects under OU=Asia,DC=rebeladmin,DC=com.
We can review the delegated permission under the OU security settings:
When required, delegated permission can be removed through these security settings.