What access is needed to service account to "Enable AD Object" through Orchestration
We need two permissions to service accounts to create/update user objects in service now through Orchestration.
1. "UserAccessControl" permission.
2. Set "lockoutTime" of the user to zero, which means the account is not locked out.
Refer to below KBs for additional information regarding AD Objects creation: