I CAN get the AD service to start when making the user part of the "Domain Admins" group. As most system admins, I like to follow least privilege scenario. What rights do I need to delegate to my service account to be able start the AD service. I have already tried giving it access to add computer objects to the domain, but it must need something more.