Administrator Active Directory Permissions

To administer user accounts, groups, and computers in Active Directory (whether globally or within selected Organizational Units (OUs)), refer to the following table for the key details:

OperationPermissions Needed

User Management

Create Users

To perform administrative tasks in Active Directory, the following permissions or group memberships are required:

  • You must be a member of the built-in Administrators group or the Account Operators group, OR

  • You must have specific permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.

These permissions ensure you have the necessary rights to manage user accounts, groups, and computers in the designated areas of the directory.

Modify Users

  • You must be a member of the built-in Administrators group or the Account Operators group, OR

  • You must have the necessary permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.

Note: It is also possible to grant permissions to modify specific attributes of an object, rather than granting full control over the entire object. This allows for more granular control over what aspects of the user accounts or other objects can be changed.

Delete Users

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the necessary permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.

Computer Management

Create Computers

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Computer Objects – Create selected objects in this folder’ permission, or an equivalent permission within the relevant Organizational Unit (OU) or container in Active Directory.

Modify Computers

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Computer Objects – Create selected objects in this folder: with write permission’, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Delete Computers

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Computer Objects – Delete selected objects’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Group Management

Create Groups

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Modify Groups

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Delete Groups

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission within the relevant Organizational Unit (OU) or container in Active Directory.

Last updated