>创建,删除和管理用户帐户
>重置用户密码并在下次登录时强制更改密码
>阅读所有用户信息
>创建,删除和管理组
>修改组的成员身份

我找到的唯一方法是以下,但我找不到正确的权限分配：

$acc  = Get-ADUser NickA
$sid  = new-object System.Security.Principal.SecurityIdentifier $acc.SID
$guid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 
$ou   = Get-ADOrganizationalUnit -Identity TestUsers
$acl  = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule($(new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid))
Set-ACL -ACLObject $acl -Path "AD:$($ou.DistinguishedName)"