# Administrator Active Directory Permissions

To administer user accounts, groups, and computers in **Active Directory** (whether globally or within selected Organizational Units (OUs)), refer to the following table for the key details:

<table><thead><tr><th width="296">Operation</th><th>Permissions Needed</th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>User Management</strong></mark></td><td></td></tr><tr><td>Create Users</td><td><p>To perform administrative tasks in Active Directory, the following permissions or group memberships are required:</p><ul><li>You must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>You must have specific permissions to <strong>create, delete, and manage user accounts</strong> or equivalent permissions within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul><p>These permissions ensure you have the necessary rights to manage user accounts, groups, and computers in the designated areas of the directory.</p></td></tr><tr><td>Modify Users</td><td><ul><li>You must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>You must have the necessary permissions to <strong>create, delete, and manage user accounts</strong> or equivalent permissions within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul><p><strong>Note:</strong> It is also possible to grant permissions to modify <strong>specific attributes</strong> of an object, rather than granting full control over the entire object. This allows for more granular control over what aspects of the user accounts or other objects can be changed.</p></td></tr><tr><td>Delete Users</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the necessary permissions to <strong>create, delete, and manage user accounts</strong> or equivalent permissions within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td><mark style="color:blue;"><strong>Computer Management</strong></mark></td><td></td></tr><tr><td>Create Computers</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Computer Objects – Create selected objects in this folder’</strong> permission, or an equivalent permission within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Modify Computers</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Computer Objects – Create selected objects in this folder: with write permission’</strong>, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Delete Computers</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Computer Objects – Delete selected objects’</strong> permission, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td><mark style="color:blue;"><strong>Group Management</strong></mark></td><td></td></tr><tr><td>Create Groups</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Create, manage, and delete user groups’</strong> permission, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Modify Groups</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Create, manage, and delete user groups’</strong> permission, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Delete Groups</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Create, manage, and delete user groups’</strong> permission, or an equivalent permission within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr></tbody></table>