Learn how to create an Active Directory delegation model to grant users elevated permissions without adding them to highly privileged groups like Domain Admins and Account Operators.
Follow these four steps: 1) Create roles, limiting yourself to a small, manageable number; 2) Assign responsibilities by developing use cases to identify what each role can and cannot do; 3) Define an OU security model by creating a top-level OU for Tier 4 Admins and sub-OU hierarchies for each region or business unit, with separate sub-admin groups to prevent privilege escalation; 4) Control how delegated rights are used by enforcing the principle of least privilege, using the Secondary Logon service to elevate privileges, and using the Delegation of Control Wizard to delegate permissions in Active Directory. Remember, simplicity equals supportability, and a sustainable delegation model pays huge dividends in properly and efficiently controlling Active Directory delegated permissions.
