Give your helpdesk team the ability to manage user accounts in the domain without being a member of the Domain Admins group.
- Create a group named ‘Helpdesk Admins’ and add all the Helpdesk users accounts intended with such role
- Run ADUC > Navigate to OU where permissions are to be granted (or root directory for entire domain delegation) > Delegate Control > Next > Add > search for ‘Helpdesk Admins’ > OK
Next > select ‘Create, Delete, and Manage User Accounts’, ‘Reset user passwords and force password change at next logon’, ‘Read all user information’, ‘Modify the membership of a group’,’Join a computer to the domain’
Next > Finish