I've just added a member to my Help desk team and delegated control of one organizational unit (OU) to him so that he can add and delete user accounts (and edit the account properties). With this control, he can add users to groups (he needs this function as part of his job), and this could be a problem when it comes to high-privilege groups such as domain, schema, and enterprise administrators. I understand I could use a Group Policy Object (GPO) with Restricted Groups and put authorized users in those groups, but where should I apply this policy to the domain controller (DC)? I know I have to be careful to include all current domain admins, but are there any other hidden security principals that need to go into the policy? Is there a better way to lock these groups down?

If the permissions you delegated were restricted to the ability to create, delete, and modify users within the OU, your Help desk employee won't be able to add or remove those users from high-privilege groups. You must have write access to the members property of the group you are modifying to change group membership. Also note that you use Restricted Groups to manage the membership of local groups in the SAMs of member servers and workstations in the domain; you can't use it to manage domain groups in Active Directory (AD). 50462