The following table show which groups have control of which AD naming contexts.

Active directory ACE Access Control Entries can apply to all objects or specific objects types. Through inheritance, an object specific ACE can be set on an OU and applies to all objects of that type within the OU.

	ACE 1 for User objects
	ACE 2 for Shared Folder objects
	ACE 3 for OUs
—
	ACE 1
—
	ACE 2
—
	ACE 3
—
	ACE 2

Administration can be delegated by defining an ACE for an OU. For example, John can manage groups in one OU and Jane can manage groups in another.

	John can modify Group objects			Jane can manage Group objects
—	ä		—	ä
	John can manage			Jane can manage

Configuring DACLs for administration can become complex. To simplify this Windows has a Delegation of Control wizard that defines common tasks.

Administrators can select the common task and let the wizard set the DACL details. The following example shows that a predefined task might involve 2 or more ACEs that can automatically be set by the wizard.

	ACE 1 for OU - FinanceAdmin can create User objects
	ACE 2 for User objects - FinanceAdmin can modify user objects
—	ä
	ACE 2 for User objects - FinanceAdmin can modify user objects

Active Directory inheritance works the same as with the file system except that OUs are the containers and take the place of folders. The following diagrams show how inheritance propagation options are applied.

The gray checkbox for the ACE below, indicates that it is inherited.

The Advanced Security Settings dialog shows

• where the ACE is inherited from or indicates that it is explicit <not inherited>
• which objects inherit the permissions

The ACE has permissions that apply to

• the object and
• each property/attribute within the object