Using delegation of control

As an alternative to using the built-in groups, you can granularly delegate permissions per OU.

There are a couple of recommended practices to keep you and your colleagues from insanity:

• Build a delegation of control model and/or authorization matrix before performing delegation of control. This way, delegation settings can be continually documented, agreed upon, and transferred to other admins without adding unnecessary complexity.
• Always use groups when delegating permissions, not individual user or computer accounts. This way, giving permissions is a matter of (temporarily) adding a user account to a group, instead of going through the Delegation of Control Wizard each time. It also makes auditing that much easier.
• Try to avoid deny permissions to avoid complexity. Deny permissions take precedence over allowed and/or granted permissions.
• Use a hacker mindset. Always test the delegation settings for any unwanted effects.
• Use delegation of control of groups in combination with NTDS Quotas to prevent group administrators from creating over 1,000 groups, adding members to these groups, and performing a denial of service attack, because user accounts can't be used to sign in when they have over 1,023 group memberships.