There are objects in my AD that have objectClass set to device, and I would like to delegate control to non-admin users so they will be able to add new and delete existing objects with objectClass set to device, but not other objects that have objectClass user, computer, or group.
I'm using device class, because this class has macAddress attribute. New objects are created with New-ADObject command
New-ADObject -Type device -Name NAME -Path "OU=MAC,DC=ddomain,DC=local” -Description DESCRIPTION -OtherAttributes @{'macAddress'="0011223344"}
From what I see, Delegation control wizard or ACL editor do not offer such fine grained control, where I can select custom objectClass for which security properties should be edited.