You can set permissions for performing tasks in the Active Directory Schema snap-in.

Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To apply permissions to perform a schema task
  1. Open the Active Directory Schema snap-in.

  2. In the console tree, click Active Directory Schema to connect to the domain.

  3. In the console tree, right-click Active Directory Schema, and then click Permissions.

  4. In Group or user names, select a user or group, or click Add to add a user or group.

  5. In Permissions for <user_name>, select or clear the permission that you want to grant or deny, respectively, and then click OK.

Additional considerations

  • Performing this task requires you to have schema administrator credentials, which are assigned to only the Schema Admins group. By default, only the Administrator account in the forest root domain is a member of the Schema Admins group. You can set permissions for different administrators to manage schema operations, but it is best to limit the number of schema administrators to a single highly trusted administrator in the forest.

  • If the Active Directory Schema snap-in is not installed, see Install the Active Directory Schema Snap-In.

Additional references