In the final days of Windows NT, the lack of delegation features built into the product made administrators switch to Active Directory. It provided a simple method to delegate tasks to members with the help of the Delegate Control Wizard. This gave administrators the ability to grant a group of users granular control over selected AD objects.
Administrators could now delegate repetitive, yet necessary tasks to help desk technicians and managers, in some cases, with the ability to modify group members attribute, grant permissions, reset passwords, and unlock user accounts. Active Directory went on further to provide users with an interactive interface, called the Active Directory Users and Computers to help them keep track of the delegated administrative tasks. This coupled with the RSAT (Remote Server Administrative Tools) made delegation much easier.
However, the biggest flaw with the ADUC tool is the lack of any intelligence regarding the delegations that are being made. This is partly due to the fact that every user in Active Directory has “read” access to everything in Active Directory. Because of this level of access, the user with the delegations will need to maneuver around in the tool to find the correct area for which they have been granted the delegations. This will require quite a bit of trial and error to find the area as well as to find the menus and tasks for which they can perform.
Alternatively, Microsoft provides Taskpad Views to narrow down the “view” of what the user with delegated permissions can see. Here's a short note on how you can generate a Taskpad view.
First, you can’t use the Active Directory Users and Computers tool that is located in the Administrative Tools folder or menu listing. Second, you must launch the Active Directory Users and Computers tool by using the MMC (Microsoft Management Console) administrative tool. Once inside the MMC, after you have added the Active Directory users and Computers snap-in, you will now be able to start the process to create a Taskpad View. To create a Taskpad View, you will first need to get to the node (domain level, OU, or even object) in the Active Directory Users and Computers interface. From there, right-click on the node and you will see an option for Taskpad View.
The trick of the Taskpad View is that you will first need to decide on what the delegated user will see, then you need to configure what the delegated user’s interface can accomplish. I will tell you now this will require many trials and errors before you get it just right.
Yes, the Active Directory Users and Computers and the accompanying Taskpad View is free. However, you will find that the administration of these interfaces is manual, laborious, and requires constant maintenance as delegations change.