How to granularly delegate critical help desk roles with OU-based delegation in ADManager Plus

How to granularly delegate critical help desk roles with OU-based delegation in ADManager Plus

Nothing keeps the cogs of an organization turning smoothly like a well planned delegation set-up.  But delegation of critical tasks should be done in a secure way adhering to the principles of least privilege to avoid both internal and external attacks.

Implementing OU-based and role-based delegation practices can make delegation safe and efficient. However, doing this with native tools can be complex and needs a new code every time you wish to delegate a specific role to a technician. ADManager Plus, on the other hand, provides non-invasive OU-based delegation, with audit reports, to delegate just the required roles to technicians. For example, you can delegate the 'user provisioning role' in Finance and Marketing OUs, and 'unlock users' role in the HR OU to technician A. Similarly, you can delegate the 'reset password' role for Finance, Marketing and HR OUs to another technician, and so on.


Furthermore, it offers granular control over delegated tasks, via customizable workflows, which is pivotal for enforcing better security practices. With OU-based delegation in place, it is easier to:

  • Define, categorize and breakdown roles for every OU in a way that no technician has excess privileges than what is necessary to perform their delegated tasks.

  • Ensure standard organization-wide security practices for efficient identity governance.

  • Implement security practices for IT regulatory compliances and other policies.


Steps to enable OU-based delegation

  1. Logon to ADManager Plus as the admin.

  2. Navigate to Delegation tab > Help Desk Delegation > Help Desk Technician > Edit technician.

  3. Click on OU-based Delegation on the top right corner above the Delegate roles section.

  4. Click on Switch Now to proceed in the pop up window that opens. 


  • Once you switch to OU-based delegation from the Domain-based delegation, you will not be able to revert to Domain-based delegation.

  • The delegations bear effect only in the product and the technicians' actual privileges in Active Directory will remain unchanged.

  1. When you select the desired domain, you will see advanced options for OU-based delegation and these can be configured as needed.

    • Select OUs - You can select the OU you wish to delegate to the selected technician. Check the Exclude Child OU(s) option if you do not wish to delegate the role to the parent OU and not the child OUs.

    • Help Desk Roles - Choose the desired roles, applicable to the OUs selected earlier, to be delegated to the technician.

    • Assign Templates - Choose the templates that will be available for the technician's usage.

    • Impersonate as admin - Checking this option elevates the technician's permissions to admin level in ADManager Plus without changing their permissions in Active Directory.

  1. To add another role or OU to be delegated click on the '+' icon located near the Help Desk Roles option.

  2. Similarly, configure delegation for other domains if needed and click Save Changes. 

Tune in next week for another quick tip for better identity and access management!



Team ADManager Plus.