What permissions are needed for a helpdesk admin to create users in AD?
What permissions are needed for a helpdesk admin to create users in AD? I don't want this person to be a domain administrator, we have 2003 DCs.
Solution 1:
Try using Delegate control as i think this will be the solution for fine tuning this access.
Setup the helpdesk admin as a security group in ADUC if not already in place and from there you can then go to view/advanced options, right click an OU to be more specific or the domain as a whole, specify which rights (add users) and include the security group.
Take a look at http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/d7ad344d-0fcf-4a80-9fe0-cac802df25bb for reference.
Solution 2:
It's preferable to do this at the OU level by delegating control as Nicholas indicates. If you need to give them the ability to create and manage user accounts and groups everywhere, then there is the BUILTIN\Account Operators group. This group functions like it did in NT4. Because of that, it probably has too many rights for what you're looking for, but I mention it because sometimes that is exactly what folks want, especially when putting in permissions through a 3rd party product.