Each domain or domain tree has its own security boundaries. The system administrator can grant rights to individuals within organizational units with greater granularity. In fact, certain administrative responsibilities can be granted on an OU basis without endangering system security. As more users become "empowered" to manage aspects of their normal work within their environment, the mundane responsibilities of system administration are reduced.
If a system administrator considers a security boundary as a logical management segment, responsibility for each boundary or segment can then be delegated to other administrators. A system administrator in one domain is not automatically the administrator in another domain. Alternately, an administrator may want to extend his or her control over many domains. Administrative privileges can be delegated by organizational unit, domain, tree, or forest.
Another important aspect of this containerized OU and domain tree strategy is how it copes with organizational change. In many operating systems, changes or deletions usually equate to many hours of system administrator manual labor. The Active Directory permits OU changes to be accommodated by pruning, grafting, and merging branches from one domain tree to another. It also provides simple drag-and-drop functionality. For example, if the widget department in Ohio is to be consolidated with the super-widget department in Michigan, the system administrator need only drag that object to the domain tree of the merged organization.
For in-depth information on how to manage active directory refer to The Ultimate Windows 2000 System Administrator's Guide (Addison Wesley, 2000).