How to Delegate an Administrative Task in Active Directory

Step-by-step instructions on how to delegate an administrative task in Active Directory

   To delegate authority for an administrative in Active Directory, enact the following steps –

1. Open the Active Directory Users and Computers Snap-in (Click Start, then click Run, then type dsa.msc and hit Enter.)

2. Click on the View option in the Menu bar and make sure that the Advanced Features is selected (i.e. it is tick-marked).

3. To delegate administrative authority on a specific object, such as a user account or a security group, navigate to the object. To delegate authority on a collection of objects, such as all user accounts in an OU, navigate to the OU object.

4. Right-click on the object and select Properties.
5. Navigate to the Security Tab by clicking on it.
6. Click the Advanced button to open the Advanced Security Settings pane.
7. Click the Add button.
8. In the Select User, Computer or Group dialog, enter the name of user, computer or security group to whom you wish to delegate the task. For example, you can enter John Doe or Local IT Admins group or SQL Server Service Account etc.
9. Then, determine what permissions you need to grant to delegate the task you wish to delegate.
   
   
   NOTE: For a list of common delegations, see the Top-20 delegations page of this website. For a comprehensive list, refer to Appendix A of Microsoft's official whitepaper on delegating administrative access in Active Directory.
10. If you need to specify specific Write Property permissions to delegate the task, then click on the Properties tab.
11. Then, in the Apply onto drop-down, specify the appropriate selection. If you are delegating authority on a specific object, then select This object only, otherwise specify the specific object class as appropriate (for example User objects.)
12. Then, to specify the appropriate permissions needed to delegate this task, check the check-box in the Allow column that corresponds to the appropriate permission(s) in the Permissions section. (E.g., Write Property, Delete etc.)
13. If you wish to restrict the scope of the delegation to only those objects that are within the specific OU or container on which you have made these permission changes, then check the Apply these permissions to objects and/or containers within this container only check-box.
14. Click the Okay button in the Permission Entry pane.
15. Scroll through the list of access control entries (ACEs) to visually confirm that the combination of the permissions and the user, group or computer you specified are listed in the Permission entries section of the Advanced Security Settings pane.
16. Click the Okay button to return to the object's Security tab of the Properties pane.
17. Click the Okay button to return to Active Directory Users and Computers main application panel
18. Verify that in fact administrative authority has been precisely delegated, meaning that –
    
    
    1. All users to whom you intended to delegate the administrative task can now actually carry out the task.
    2. Only those users to whom you intended to delegate the task, and none other, can carry out the task.
    3. All intended users can only carry out the tasks you intended to delegate, and none other.
    WARNING: No administrative delegation should be considered complete until it has been accurately verified.
    
    To learn how to verify a delegation, please see the How to Verify Delegated Access in AD section of this website.