We have recently begun setting up Adaxes and are trying to exercise least privilege on both of the accounts we have created to manage the service. The first is a service account with the rights to Create/Delete Child Objects on the computer in order to publish the Adaxes service - no issues there.
Our second, the domain service account, has permissions to create/delete all child objects in the OU. However, when an attempt is made to create/delete a new user within this OU, we receive a permissions error suggesting we add it to Builtin/Domain/Enterprise admins.
What permissions could we be missing here that prevent us from creating new users?
The aforementioned account is also given the appropriate Security Role within the Adaxes administrative console.