Windows Server 2008 Active Directory Resource Kit
The option to delegate administrative permissions in Windows Server 2008 AD DS provides a great deal of flexibility in how domain can be administered. The delegation of administrative rights is based on the Active Directory security model, in which every object and every attribute on every object has an ACI that controls what permissions security principals have to a specific object. According to the security model, all permissions are, by default, inherited from container objects to objects within the container. These two basic features of the security model mean that one can assign almost any level of permission to any Active Directory object.