Active Directory has great support for fine-grained permissions, and Microsoft intent all along was for you to be able to dole out just the permissions people needed over specific portions of the directory. Delegation was intended to be a way for certain tasks to be taken off of IT's back, and put into the hands of people throughout the organization. Keeping directory attributes updated, unlocking accounts, resetting password, whatever you need to delegate can be done. The Delegation of Control (DoC) Wizard makes it pretty easy to set up, offering pre-packaged sets of permissions that you can drop onto an organizational unit (OU).
The problem is in maintaining that delegation over time. The native Active Directory tools don't provide any way of seeing who has been delegated what, apart from the native, one-object-at-a-time permissions dialog.
In this whitepaper, we will discuss the challenges of managing delegation with native tools and how you can end the delegation nightmare with Active Administrator from ScriptLogic.