My preferred method is as follows. Keep OU Names simple and linked to object type or organization delegation type. Use the description attribute on each OU to describe the OU instead of making the RDN and DN describe the OU. Also Look at third party products if you have to do multiple delegations and need to control content being entered. I am a big fan of Aelita's EDM 5.0 for both its 32bit interface and its web interface and ADSI provider.
Here is a pretty good strategy. <Root> -AD + Delegation Description ============================================= +Users Del#1/Users +Computers Del#1/Computers -Groups Del#1/Groups +Org Del#1/Groups/Org +DL Del#1/Groups/DL -OPS Del#1/OPS +Services Del#1/Services +Accounts Del#1/Accounts +Contacts Del#1/Contacts +Servers Del#1/Servers +Resources Del#1/Resources + Delegation Description +Users Del#2/Users +Computers Del#2/Computers -Groups Del#2/Groups +Org Del#2/Groups/Org +DL Del#2/Groups/DL -OPS Del#2/OPS +Services Del#2/Services +Accounts Del#2/Accounts +Contacts Del#2/Contacts +Servers Del#2/Servers +Resources Del#2/Resources When doing searches it is easier to search on description than on OU or CN. When programming it is easer to program names that are simple and short. If you named your OU Del #1 Users. Technically it is supported, but administratively it is a nightmare. For delegation to work properly you need to separate the role of Domain Administrators (Directory Admins) and each delegated Admin of a OU (Data Admins). Directory Admins are responsible for creating Delegation and managing the physical security, patch level, disaster recovery, and operation of the Domain Controllers. Data Admins are responsible for creating the users, groups, and resource accounts within the directory. Data Administration can be divided up as many ways as you see fit, I have a rule of three. Full Admin: Full Control over managing OU and resources. Helpdesk Admin: Ability to reset certain passwords, update attributes on certain objects, create new computer accounts and modify membership of ORG and DL groups. Read Access to Operations. Server Admin: Ability to do Help desk tasks as well as manage server and resource objects in OPS OU. Services Admins: Ability to manage service accounts and is the only one delegated to be able to modify the object other than the system account. Through the use of third-party tools you can pretty easily create recurring roles, and limit the object type that can be created in a OU, dynamically populate groups, add validation to field entry, and a host of other important identity management tasks. I also recommend that you use GPO's to restrict group memberships to certain key groups so they can't be hijacked by hackers or rogue admins. Todd -----Original Message----- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 4:45 PM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] suggestions for OU delegation information sources Hi All! As we continue to "flesh out" our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a "control freak", I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could "borrow" from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/