Full control applied to Group Objects
Create/Delete Group Objects applied to this object (OU they manage) and child objects
Full control applied to user objects
Create/Delete User Objects applied to this object (Ou the manage) and child objects
They will be able to add/delete users and groups, change group memberships, reset passwords, etc. They will NOT be able to delegate permissions on the OU, add/delete any OU or child OU.
Dig deeper on Microsoft Active Directory
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.