question

Hi,

Item#1 - I have created few Sec groups and users as members. Can I then delegate these groups and separately given Domain Join/Password reset/Manage GPOs rights on OUs (which will be created)?

Yes it possible to delegate a user or a group to perform a additional actions , like reset password , join computer to domain, ect ....

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

https://www.itprotoday.com/active-directory/view-or-remove-active-directory-delegated-permissions

Item#2- I do have synched objects from OnPrem and understand these objects cannot modify as no synch back to Onprem.
Would like to know Item#1 is possible & Item#2 understanding is correct.

If the user account is created in onprem active directory, Azure Ad connect which ensure the synchronization between onprem and azure active directory will synchronize this object and create new object .
We cannot modify the new object created on onprem active directory and synchronized by azure ad connect,only in onprem active directory administration tools.

If Item#1 possible, how would the sec group user (IT helpdesk) connect the domain, read that only those part of AAD DC Admins can access domain through RSAT. so whoever part of this Admins group naturally gets all rights, isnt any way to control.
My end goal, IT helpdesk connect to Domain and manage new OU with their rights.

It hepldesk can install RSAT tools on their workstation to manage active directory and GPO.

https://www.microsoft.com/en-us/download/details.aspx?id=45520

They can also use a members servers ans install administration tools to manage active directory and GPO

Please don't forget to mark this reply as answer if it help you to fix your issue

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.