Minimum rights required in Active Directory

Hello all,

I'm trying to figure out the minimum required rights a help desk worker should have to be able to move users and create new mailboxes. Thanks!
Who is Participating?
Mike KlineConnect With a Mentor Commented:
What other tasks would they be doing with user accounts?
There is a builtin-group called account operators (that may be to much power though)
Account Operators
Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.
We have about 20 people in our help desk.  Two of them do account maintenance and they are in this group.  
PakaConnect With a Mentor Commented:
Configuring a user or helpdesk to manage user accounts and mailboxes can be done but it's a moderately difficult task.  In short, you will need to create a group such as "HelpDeskGroup" and delegate Exchange View Only Adminstrator rights to it (don't let the name concern you) using ESM.  Next, you will need to delegate the appropriate rights to that group - this is the tough part and is detailed in the link below.  Lastly, add the individual Help Desk accounts to the HelpDeskGroup.

Here's a link detailing the appropriate rights needed for mailbox delegation:
hmcnastyAuthor Commented:
Thanks guys, this has been very helpful.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.