Delegation of control allows a user to have permission to perform administration actions on a selection of users. This video looks at how to achieve this using delegation of control wizard and what the wizard changes in order to provide this access.
Delegation of control
Although there is almost an endless amount of options in the Delegation wizard, the most common one use for administrators are to do with users and groups. Used correctly, you could give a user permissions to perform user administration of a particular OU rather than giving them access to perform administration for all users in the domain.
To use the delegation wizard, first open Active Directory Users and Computers.
Right click the OU you want to perform delegation on and select the option Delegate Control.
In the wizard select the users that you want to administration to be delegated to. It is recommended to create a group as if you want to remove or add additional users later it is a simple matter of changing the members in the group.
When asked in the wizard, choose which tasks to want to delegate to that user or users when prompted.
If you open the properties for the OU and select the security tab, you can see the permissions that have been assigned to the OU.
The delegation wizard effectively changes the permissions on the OU. The administrator could have change the permissions in the OU manually. If they want to reverse the changes done by the wizard modify the permissions for the OU and remove any permissions assigned by the delegation wizard.