Active Directory, control to users

You're looking for the Delegation of Control functionality in Active Directory Users and Computers. I don't prefer @Harry Johnston's answer because, while technically valid, you really should use the "Wizard" so that you don't have to muck about with the specific entries in the access control lists (ACLs) you're trying to manage.

Assume a Directory that looks as follows:

[domain]  ad.company.com
   |
   |-- [OU]  Sales
   |     |
   |   [user]  Bob, Sales Manager
   |
   |-- [OU]  Service
   |     |
   |   [user]  Jane, Service Manager
   |
   |-- [OU]  Security Groups
   |     |
   |     |-- [OU]  Groups Managed by Delegates
   |     |     |
   |     |   [group]  Sales Gerbils
   |     |     |
   |     |   [group]  Service Technicians
   |     | 
   |   [group]  Delegated Sales Managers
   |     |
   |   [group]  Delegated Service Managers
   |     |
  ...   ...

Assuming you'd like Bob to be able to create new Sales users and Jane to be able to create new Service users you'd:

  • Make Bob a member of the "Delegated Sales Managers" group
  • Make Jane a member of the "Delegated Service Managers" group
  • Use the "Delegation of Control" wizard at the "Sales" OU to grant "Create, delete, and manage user accounts" permissions to the "Delegated Sales Managers" group
  • Use the "Delegation of Control" wizard at the "Service" OU to grant "Create, delete, and manage user accounts" permissions to the "Delegated Service Managers" group

This would allow Bob and Jane to create user accounts in the appropriate OUs, but it wouldn't allow them to make the users members of groups. By putting groups that Bob and Jane are permitted to manage the membership for under the "Groups Managed by Delegates" OU and using the Delegation of Control wizard to grant "Delegated Sales Managers" and "Delegated Service Managers" the "Modify the membership of a group" right on the "Groups Managed by Delegates" OU both Bob and Jane would be permitted to add users (users they create or other users that already exist in the Directory!) to the groups in and below this OU.

If you wanted to stop Bob from adding users to the "Service Technicians" group and Jane to the "Sales Gerbils" group you could create sub-OUs under the "Groups Managed by Delegates" OU and delegate control there (a "Sales Groups" OU and a "Service Groups" OU, for example).

The nice thing is that you can create a test OU in your Directory, create some test accounts and groups, and play around with this functionality without impacting the rest of your Directory. Give it a shot and test out your solution before you roll it out to users.