we have a problem with our Active Directory administrators. Some of them are not able to reset a password for some users or move them to another OU. They are NOT domain admins. Do you know some best practices for setting rights for such administrators? They primarily have to manage user accounts (add/delete users, move them...), add user-groups and add computers to the domain. Another admin is responsible for managing the OUs and another one for managing the group policies.
Are their issues with owner of an user, e.g. if a domain admin has created it a "normal" admin can not manage it completely?
Some tips would be gread!