OU-based delegation

OU-based delegation enables you to delegate different set of roles for different OUs to any technician. For example, you can delegate the 'user provisioning role' in Finance and Marketing OUs, and 'unlock users' role in the HR OU to technician A. Similarly, you can also delegate the 'reset password' role for Finance, Marketing and HR OUs to another technician, and so on. Doing this with native tools can be complex and needs a new code every time you wish to delegate a specific role to a technician. ADManager Plus provides a non-invasive OU-based delegation, with audit reports, to just the required roles to technicians.

ADManager Plus' delegation also offers granular control over delegated tasks, via customizable workflows, which is pivotal for enforcing better security practices. With OU-based delegation in place, it is easier to:

  • Define, categorize and breakdown roles OU in a way that no technician has excess privileges than what is necessary to perform their delegated tasks.
  • Ensure standard organization wide security practices for more efficient identity governance.
  • Implement security practices for IT regulatory compliances and other policies.

Steps to enable OU-based delegation

  1. Logon to ADManager Plus as the admin.
  2. Navigate to Delegation tab > Help Desk Delegation > Help Desk Technician > Edit technician
  3. In the top right corner above the Delegate roles section, click on OU-based Delegation
  4. In the pop up window that opens, click on Switch Now to proceed.
    • Once you switch to OU-based delegation from the Domain based delegation, you will not be able to revert to Domain-based delegation.
    • The delegations bear effect only in the product and the technicians' actual privileges in Active Directory will remain unchanged.
  5. When you select the desired domain, you will see advanced options for OU-based delegation and can be configured as needed.
    • Select OUs - You can select the OU you wish to delegate to the selected technician. Check the Exclude Child OU(s) option if you do not wish to delegate the role to the parent OU and not the child OUs.
    • Help Desk Roles - Choose the desired roles, applicable to the OUs selected earlier, to be delegated to the technician.
    • Assign Templates - Choose the templates that will be available for the technician's usage.
    • Impersonate as admin - Checking this option elevates the technician's permissions to admin level in ADManager Plus without changing their permissions in Active Directory.
  6. To add another role or OU to be delegated click on the '+' icon located near the Help Desk Roles option.
  7. Similarly, configure delegation for other domains if needed and click Save Changes.

Don't see what you're looking for?


    Visit our community

    Post your questions in the forum.


    Request additional resources

    Send us your requirements.


    Need implementation assistance?

    Try OnboardPro