Domain Admin created objects in ADUC can't be edited by Helpdesk

I am currently running into an issue where any computer account or user account created in ADUC by a Domain Admin is unable to be edited by anyone with lower privileges than a Domain Admin.  The affected users are members of the Account Operators group.  We have also tried delegating permissions to an OU without success.  Any ideas how I can remedy this situation?

Other pertinent info:

Functional Level: Server 2008 R2

Note: This also occurred prior to the functional level upgrade from 2000 mixed mode.
Who is Participating?
Sarang TinguriaConnect With a Mentor Sr EngineerCommented:
Check the security permissions of those users which are not editable
Start AD in Advanced Mode and right click users and check security tab- click advanced - Select effective permissions and select you account operators ID/Group and see what permissions are assigned for that object
Krzysztof PytkoSenior Active Directory EngineerCommented:
Looks like there is missing inheritance on OU objects. Can you verify if Account Operators are available on particular objects which were created ? If not, I would recommend AD reorganization to not use standard built-in groups (they give too much permissions to users). Instead of that please delegate appropriate tasks to your users.

If you wish, you may follow articles on my blog for that at

automaton64Author Commented:
@sarang_tinguria: In the security tab for the users created by the DA, there is no Account Operators group.  In an account created by anyone below that level, the Account Operator has Full Control.  

@iSiek:  For some more background, we don't use the built-in Users OU for the users affected.  We have a Users OU that is located under each separate site OU.  For the security of this User's OU, Account Operators have "Create/delete Computer Objects", "Create/delete Group Objects", and "Create/delete User Objects" applied to "This object only".  

As I type, I think I am figuring out what is going on.  Maybe you guys can help me confirm.  As I dig through the permissions, there are two groups in question, we will call one group "Level3", which the affected users are a member of.  This group is a member of the Account Operators built-in group.  At the top level, as I described above, the Account Operators group has the ability to create objects in this OU, and is applied ONLY to this OU.  As I move down the list of permissions, I see the Level3 group with the following permissions:

1) "Reset Password" - applied to "Decendant User Objects"
2) "Read pwdLastSet" - applied to "Decendant User Objects"
3) "Create Organizational Unit Objects" - applied to "This object and all descendant objects"
4) "Read lockoutTime" - applied to "Decendant User Objects"
5) "Read adminDisplayName" - applied to "Decendant User Objects"

So correct me if I'm wrong, but according to the permissions at the top level, I'm seeing that the Account operators who are also a member of the Level3 group are given the permissions to create the User objects in the OU, and by virtue of being in the Account Operators group, are given Full Control when created.  However, when a Domain Admin creates one, the inheritance set at the top level only propagates the ability for users in the Account Operators group or Level3 group to basically display the users and reset passwords.

Does this sound correct?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.