Active Directory has predefined administrator roles, and it has predefined permissions attached to it. If a user account needs to grant these role permissions, it needs to be added to the relevant security group:

• Enterprise Admins: This is the highest Active Directory role permission which can be applied for in the AD forest. The accounts that are part of this group can modify the logical and physical topology of the Active Directory infrastructure. It also allows you to do schema change. This role is capable of managing other role memberships (Enterprise Admins, Schema Admins, and Domain Admins).
• Schema Admins: Members of this group can modify the Active Directory schema. This is included only in the forest root domain as the schema is handled on the forest level.
• Domain Admins: This is the highest Active Directory role permission which can be applied for in the AD Domain. When adding the first domain controller to the forest, the default administrator account will be part of the Domain Admin and Enterprise Admin group. The Domain Admin can add/remove Domain Admins from the Domain Admin group.