I am looking for some insight as to how others are handling OU Administration delegation ACLs as I have the opportunity to restructure my current configuration. Currently, as I work in higher-education, we create top-level OUs and delegate full control to a group and send them on their merry way. This allows OU Admins the ability to “roam free” within their piece of the pie and delegate permissions as they please within their area. The only constraint we as central IT have is, that we control and own the user accounts and keep them in a separate OU that Admins must use our identity management tool for.

  So far this approach works; admins have their freedom and central IT controls the user accounts but I am curious to see other approaches that do not introduce 100+ ACEs while granting OU Admins as much freedom as possible. The one well-documented example I have seen so far is the University of Washington, who similarly appears to control user accounts with their own Identity Management solution.   Thanks, brendan