what rights do I need to assign a user to add a upn suffix under active directory domain and trusts? he needs to add email domains under suffixes.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. http://technet.microsoft.com/en-us/library/cc772007.aspx

anyway I can add this right to a user without adding him to the domain admin/enterprise admin group?

No you can not give this user to add UPN suffixes without the fact to let him member of the domain admins / enterprise admins group. Like it is mentioned in the Microsoft article, it is the minimum required to compete this procedure. If you want to give the less permissions as possible, I would like to mention that Enterprise Admins are designated for the entire forest while domain admins are for specific domain only. Based on that, it will be better to let this user member of domain admins group. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

User can be granted authority by delegation of administration.

delegate what rights?

Hi, You may customize the Delegwiz.inf file to add “Modify a user's UPN” for control delegation. For more information, please refer to the following Microsoft TechNet article and check the template56. Appendix O: Active Directory Delegation Wizard File http://technet.microsoft.com/en-us/library/cc772784(WS.10).aspx Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

does this apply to 2008? I could not find this inf file in 2008

Hi, In Windows Server 2008, delewiz.inf file is located in %windir%\System32. For more information, please also refer to the following Microsoft KB article: How to customize the task list in the Delegation Wizard http://support.microsoft.com/kb/308404 Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.