Delegation is important because you don't want to just give any "admin" user domain admin rights. They key is to try and limit domain admin and other elevated rights.
There is a delegation of control wizard that is started by right clicking on the OU (I'll be using an OU for this entire blog entry example)and selecting Delegate Control
When you run the wizard you get 11 choices by default at the OU level:
Where does this list of tasks come from and can it be extended?
That list is built from a file called delegwiz.inf That file is located in the
That file can be modified and Microsoft has a great article that gives you a new file to use and outlines the steps required to make the modifications. That is part of their Best Practices for Active Directory Administration: Appendices
For this blog entry we will specifically use:
Appendix O: Active Directory Delegation Wizard File
As you can see in Appendix O, you copy the contents to notepad and you will replace the current delegwiz.inf file with your new file. As they point out make sure to backup your current file.
After you make the changes you will now notice that you have many more choices compared to the original 11 you got by default.
There are also more advanced ways to delegate control in AD and there are some good third party tools that are also good. Some of those methods will be covered in future blog posts.