Assign permissions to active directory though security groups

lalajee 1,811 Reputation points


I'm in process of remove all users from domain admin and assign them the rights which they need in ad

Can someone please let me know which rights I need to give

Support_Senior - Able to do anything within active directory (Join to domain, edit/update/create/delete users/computers, create/delete/update OU)

Support_Tech - should be able to join computer to domain. edit/update/create/delete users/computers should not be able to create/delete/update OU

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,542 questions
{count} votes

Accepted answer
  1. Thameur-BOURBITA 28,471 Reputation points

    Hi @lalajee ,

    This is a good approach to improve security state of your active directory.

    Regarding AD objects, you can based on structure organizational Unit set delegations to give permission to a user or security group to manage objects under a specific organizational unit.

    For your case you can create two security group : one for Senior and one for tech.

    Senior group will have full control on all objects in the OU and tech group will have control only on computer objects as mentioned in the article below:


    Please don't forget to mark helpful answer as accepted

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more