Today I was surprised by my available options to create new items in Active Directory. With my Domain Admin account I only could create a Query-based Distribution Group. No User, No Organizational Unit, no Security Group.
I logged on to another server with my Administrator account. On that server I DID have the options.
I quickly found out it had to do with Permissions. And then noticed one of my administrator accounts was kicked out of the Domain Admins group. Instead, it was added to the Local Administrators group. Therefor I did not get any logon error on the particular server. I was stripped off all additional domain permissions!
So, if you can only select Query-based Distribution Group in Active Directory Users and Computers, Add your account to the domain admin group