Objective

This article explains how to delegate specific Active Directory attributes to help desk technicians using ADManager Plus. Granular delegation ensures technicians can perform only the actions they are authorized to carry out, such as updating contact details or department fields, without granting full control over user accounts. This approach supports the principle of least privilege, improves security, and helps streamline day-to-day administrative tasks. 

Prerequisites   

• You must have built-in admin access to modify help desk technicians' roles and permissions.

• You need a clear understanding of which attributes need to be delegated.

Steps to follow 

1. Log in to ADManager Plus using the built-in admin account.

2. Go to Delegation > Help Desk Delegation > Help Desk Roles.

3. Select an existing role or click Create New Role to add a new one.

4. Under User Management, navigate to Bulk User Management, select User Attribute Privileges, and check the boxes for the attributes you want to delegate. Click OK.

5. Click Save to apply the changes.

 Tips   

• Always test with a dummy technician account before assigning permissions in production.

• Review and update technician roles periodically to meet evolving business and compliance needs.

• Use naming conventions for roles (e.g., Limited User Update Role) for easy identification.
  

• You can also apply restrictions based on OU scope to prevent unwanted modifications outside the technician's area of responsibility.