Delegation

Delegation is one of the most important security features of Active Directory. Delegation allows a higher administrative authority to grant specific administrative rights for containers and subtrees to individuals and groups. This eliminates the need for domain administrators with sweeping authority over large segments of the user population.

ACEs can grant specific administrative rights on the objects in a container to a user or group. Rights are granted for specific operations on specific object classes using ACEs in the container's ACL. For example, to allow a user named "user 1" to be an administrator of the "Corporate Accounting" organizational unit, you would add ACEs to the ACL on "Corporate Accounting" as follows:

"user 1";Grant ;Create, Modify, Delete;Object-Class User
"user 1";Grant ;Create, Modify, Delete;Object-Class Group
"user 1";Grant ;Write;Object-Class User; Attribute Password

Now user 1 can create new users and groups in Corporate Accounting and set the passwords on existing users, but he cannot create any other object classes and he cannot affect users in any other containers (unless, of course, he is granted that access by ACEs on the other containers.