Deletegate Control - ADUC

crrussell3

I am needing to perform a Delegate Control to grant a new Tech Support role the ability to perform only certain functions, and am having a hard time determining what exactly I need to grant them.

Here is what I need the role to perform:

• Create/delete/move users
• Create/delete/move computers
• Change group memberships
• Create/delete/move groups
• Update user information
• GPO RSOP / Modeling

More or less, they need full control of user, computer and group objects only and to model GPO rights. I could just grant them full control of the OUs in question, but don't want to do that for obvious reasons. All of the "how to" guides out there only cover things like reseting passwords, creating users, etc. I am just not sure if that allows everything else I am needing.

Can anyone shed some light on this? Or am I stuck with trial/error tell I we get it right lol.