This image illustrates the concept of the Active Directory hierarchy.

At the top of the Active Directory hierarchy is the Domain Controller (DC). To keep this simple, let's say Acme company consists of about 2,000 employee's. In this scenario, let's say there is one administrator that controls the domain controller. This admin has full control of the Acme domain.

Often, employee's will probably ask for some type of permission change, typically when the user wants to be able to do something on their computer that is being restricted by a Group Policy Object (GPO) in Active Directory. While the admin may be able to support 2,000 employee's, it would be much better if the admin had some help. This is a compelling reason to create Organizational Units (OU). Of the 2,000 employee, let's say 500 are in Sales and 500 are in Support. In a scenario like this, it makes sense to create a Sales OU and a Support OU. Then, an user account can be created in Active Directory and assigned as a delegate (admin) of the OU. This user account would have the ability to change some, but not all, of the permissions for the groups that are included in the OU. For example, the Sales OU admin would be able to change some of the GPOs for the Remote Sales Group and Local Sales Group, but not the support groups. This removes some of the work load off of the DC admin, letting each OU admin handle some of the requests from the users in their groups.