You can use zones to delegate administrative tasks to specific users or groups. Using hierarchical zones, you can give separate groups of administrators the authority to manage a different sets of computers and users without granting them permission to perform actions on other computers, in other zones, or on other Active Directory objects. You can also use zones to establish a separation of duties so that only specific groups or users can perform certain tasks. For example, you can create a child zone for
software-development and give the
dev_mgrs group authority to manage rights and roles and manage role assignments on the computers in that zone.
By creating child zones and delegating administrative tasks within those zones, you can group computers that form a natural administrative set or that should be managed by different administrative teams. For example, you might want to group computers that are managed by a local support organization in one zone and computers that are managed by a corporate IT group in another zone. You can also control what different groups of users can do within each child zone. For example, you can set up regional zones to provide a separation of duties, authorizing users in San Francisco to manage computers in their local office while a team in Barcelona has authority to join computers to the zone and manage role assignments for offices located in Spain but does not have the authority to add users or groups.