Delegating Control -- Windows Active Directory

Check the permissions on both objects. To review the permissions, you view the "Security" tab just like you would with a file or folder.

Since there is no "Security" tab, you'll need to go to the View menu in Active Directory Users and Computers and select Advanced Features. Then you'll be able to see the security tab and verify the permissions on the objects.


Objects created in Active Directory have "Creator Owner" permissions granted to, well, the Creater/Owner. This can have unexpected effects. For example, one of the desktop techs at a previous job discovered that he could delete some PCs out of AD despite not having explicit permission to do so, but only if he was the one who added them. This was because he was the creator of the PC object, and as such had special permissions on it.

Your statement on Jack's answer, "Any object created after I delegated authority to the site-admin shows the siteadmin with full control. there are a few 1000 users that have been made before hand," suggests to me that something similar is going on. I imagine that if you pull up one of the objects created by the siteadmin and choose Security -> Advanced -> Owner, you'll find your siteadmin owns that object.

If you want the siteadmin to have full control over that OU, you probably need to explicitly grant that permission in the security tab under advanced features that Jack mentioned. Unlock/change password is probably modify.