Administrator Active Directory Permissions
Last updated
Last updated
To administer user accounts, groups, and computers in Active Directory (whether globally or within selected Organizational Units (OUs)), refer to the following table for the key details:
| Operation | Permissions Needed |
|---|---|
User Management
Create Users
To perform administrative tasks in Active Directory, the following permissions or group memberships are required:
You must be a member of the built-in Administrators group or the Account Operators group, OR
You must have specific permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.
These permissions ensure you have the necessary rights to manage user accounts, groups, and computers in the designated areas of the directory.
Modify Users
You must be a member of the built-in Administrators group or the Account Operators group, OR
You must have the necessary permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.
Note: It is also possible to grant permissions to modify specific attributes of an object, rather than granting full control over the entire object. This allows for more granular control over what aspects of the user accounts or other objects can be changed.
Delete Users
Must be a member of the built-in Administrators group or the Account Operators group, OR
Must have the necessary permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.
Computer Management
Create Computers
Must be a member of the built-in Administrators group or the Account Operators group, OR
Must have the ‘Computer Objects – Create selected objects in this folder’ permission, or an equivalent permission within the relevant Organizational Unit (OU) or container in Active Directory.
Modify Computers
Must be a member of the built-in Administrators group or the Account Operators group, OR
Must have the ‘Computer Objects – Create selected objects in this folder: with write permission’, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.
Delete Computers
Must be a member of the built-in Administrators group or the Account Operators group, OR
Must have the ‘Computer Objects – Delete selected objects’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.
Group Management
Create Groups
Must be a member of the built-in Administrators group or the Account Operators group, OR
Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.
Modify Groups
Must be a member of the built-in Administrators group or the Account Operators group, OR
Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.
Delete Groups
Must be a member of the built-in Administrators group or the Account Operators group, OR
Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission within the relevant Organizational Unit (OU) or container in Active Directory.