Where to Apply Permissions
An Active Directory forest is comprised of one or more domains that share a common configuration and schema boundary. Within those domains, objects can be further arranged into containers known as organizational units. Each organization should devise an organizational unit structure that meets their business needs and allows for optimum delegation of administrative privileges.
For more information about designing an organizational unit structure, see Best Practice Active Directory Design for Managing Windows Networks and Best Practices for Delegating Active Directory Administration.
When you design a delegation model, there are several possibilities for applying permissions; however, this guide discusses only the following two methods:
Applying permissions at the domain level
Applying permissions at the organizational unit level