Your company's on-premises Active Directory contains several organizational units (OUs). Senior administrators want the Help-Desk supervisors to reset passwords and unlock accounts for users in the Sales OU only. The supervisors must not be able to create or delete objects, modify group membership, or manage accounts that reside in other OUs. Which method BEST satisfies the requirement while honoring the principle of least privilege?
Run the Delegation of Control Wizard on the Sales OU and grant the supervisors Reset password and Unlock account permissions.
Place the supervisors in the built-in Backup Operators group and give the group Full Control over the Sales OU.
Enable Azure AD Connect password writeback so supervisors can reset on-premises passwords from the Entra admin center.
Add the supervisors to the Domain Admins group so they inherit all account-management privileges.
Delegating control on an OU lets an administrator assign a narrowly scoped set of permissions-such as Reset password and Unlock account-to a designated user or group. The Delegation of Control Wizard can apply those rights only to the Sales OU, so supervisors cannot affect objects elsewhere or perform other tasks. Adding the supervisors to Domain Admins would grant full domain-wide authority, far exceeding the requirement. Azure AD Connect password writeback synchronizes password changes between Entra ID and on-prem AD but does not by itself restrict Help-Desk scope to a single OU. Backup Operators can bypass file permissions to back up and restore data; they do not receive user-account administration rights. Therefore, using the Delegation of Control Wizard is the correct and least-privileged solution.