Hi All
i have a user and i need to provide him permission to create users in Active Directory and add users to Active Directory groups(security groups, mail enabled security groups and Distribution lists which are in Active Directory not from Exchange). What permissions do i need to provide on OU level also i would also like to know on the domain level. Experts guide me.
Hello @GlennMaxwell-2309,
Thank you so much for posting here.
According to our experience, if we would like to grant the user with the permission to create user and add users to the groups, we could configure the Delegate Control. For example:
1.Right click the OU, and then choose Delegate Control.
2.Add the user who will be granted the permissions.
3.Grant the permissions as shown below.
4.Then the user logs in and opens the ADUC. He has the permissions to newly create the users and add users to the groups which is in this OU.
Notes:
Please kindly note that the user could only have the permission to add the users to the groups in this OU. If he tried to add user to other group which is not in this OU, there is error as shown below.
Hope it helps. For any question, please feel free to contact us.
Best regards,
Hannah Xiong
You can follow along here to delegate control.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771454(v=ws.10)?redirectedfrom=MSDN
--please don't forget to upvote and Accept as answer if the reply is helpful--
if i add the user to Account Operators group will it work
--please don't forget to upvote and Accept as answer if the reply is helpful--
14 people are following this question.
