# Administrator Active Directory Permissions

To administer user accounts, groups, and computers in **Active Directory** (whether globally or within selected Organizational Units (OUs)), refer to the following table for the key details:

<table><thead><tr><th width="296">Operation</th><th>Permissions Needed</th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>User Management</strong></mark></td><td></td></tr><tr><td>Create Users</td><td><p>To perform administrative tasks in Active Directory, the following permissions or group memberships are required:</p><ul><li>You must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>You must have specific permissions to <strong>create, delete, and manage user accounts</strong> or equivalent permissions within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul><p>These permissions ensure you have the necessary rights to manage user accounts, groups, and computers in the designated areas of the directory.</p></td></tr><tr><td>Modify Users</td><td><ul><li>You must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>You must have the necessary permissions to <strong>create, delete, and manage user accounts</strong> or equivalent permissions within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul><p><strong>Note:</strong> It is also possible to grant permissions to modify <strong>specific attributes</strong> of an object, rather than granting full control over the entire object. This allows for more granular control over what aspects of the user accounts or other objects can be changed.</p></td></tr><tr><td>Delete Users</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the necessary permissions to <strong>create, delete, and manage user accounts</strong> or equivalent permissions within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td><mark style="color:blue;"><strong>Computer Management</strong></mark></td><td></td></tr><tr><td>Create Computers</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Computer Objects – Create selected objects in this folder’</strong> permission, or an equivalent permission within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Modify Computers</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Computer Objects – Create selected objects in this folder: with write permission’</strong>, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Delete Computers</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Computer Objects – Delete selected objects’</strong> permission, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td><mark style="color:blue;"><strong>Group Management</strong></mark></td><td></td></tr><tr><td>Create Groups</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Create, manage, and delete user groups’</strong> permission, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Modify Groups</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Create, manage, and delete user groups’</strong> permission, or an equivalent permission in the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr><tr><td>Delete Groups</td><td><ul><li>Must be a member of the <strong>built-in Administrators group</strong> or the <strong>Account Operators group</strong>, <strong>OR</strong></li><li>Must have the <strong>‘Create, manage, and delete user groups’</strong> permission, or an equivalent permission within the relevant <strong>Organizational Unit (OU)</strong> or container in Active Directory.</li></ul></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nuvens.cloud/install/appendices/administrator-active-directory-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.