I have on account and I don't want to give it Administrator permissions, only to create OU, users, and groups. The trouble is that Accounts Operator can't create OU, how can I add a group for this purpose? Or can I change the permissions of Accounts Operator group?
The domain is made with Windows Server 2003.
Best Answer
There are two ways you can really do this.
As Above, go into the Active Directory Users And Computers console, create an OU just under your domain that envelops your entire domain, then use the Delegate Control Wizard to provide the permissions to the users or groups as needed. That tool can be found by right clicking the OU in question. For organization reasons generally it is best to create a group and nest all the users in that group that need to administer the OU and groups. This means that you can add and remove users with those permissions quickly without having to further change your base distribution.
Go into the 'View' Menu in Active Directory Users and Computers and enable the 'Advanced Features' option. You can then right-click on your base domain OU or your secondary OU that you create as I suggested above and go into the properties. With the Advanced View on each OU will have it's own security tab now. From there you can go to each security group and granularly alter the permissions on those OUs based on groups or users. If you go into the advanced view in security you can break each permission down into each component and alter them as specifically or as openly as you'd like.