Group-based delegation

    This option allows you to grant the permission to perform the desired Active Directory tasks to a group instead of individual users. This option offers the following benefits:

    • Creating help desk technicians becomes easier and quicker as the desired roles can be assigned to a group, instead of assigning them to multiple users one after the other.
    • You can modify the roles assigned to the groups as and when organizational requirements change. The technicians' permissions will be updated automatically.
    • It is easy to ensure that all the relevant users are able to perform the appropriate tasks by just adding/removing them from the appropriate groups, instead of changing the permissions of individual users.

    Whenever a user, who is part of a group which has the permissions to perform AD tasks, is disabled or removed from group, the appropriate permissions will also be automatically removed from the user.

    How to delegate to groups?

    • Click the Delegation tab.
    • Go to the Help Desk Technicians link, and then click the Add New Technician link.
    • Select your desired domain.
    • Click the "+" option near Select AD Users/Groups in order to delegate to a user/group.
    • Click the Groups tab.
    • Select the group to which you want to delegate the help desk role, and click OK.
    • Choose the roles you wish to assign to the group using Select Help Desk Roles.
    • Check the Impersonate as Admin option if you wish to assign admin permissions to the group being selected.
    • Click the Save button.


    • The Impersonate as Admin option allows the technician to carry out his/her delegated tasks as usual but the security logs in the domain controller will show the tasks as having been performed by a user with service account credentials rather than the technician's.
    • To provide admin level permissions to select group members alone, click the Edit button next to the group and select the check box under Impersonate as Admin.
    • To view the help desk technicians available under each group which has been delegated with help desk roles, click the Group View button.
    • The Permission Inheritance column can be added using the Add/Remove Columns option.
    • To get all the available information about technicians, use the Technicians Report of ADManager Plus.

    Delegation and inheritance scenarios to be considered:

    The following are a list of scenarios that show how inheritance works in group-based delegation. The assumption in every scenario is that User 1 is a member of Group 1, which has been delegated with help desk roles.

    1. User 1 is already configured as a technician.

    Result: The help desk roles of just User 1, and not Group 1, are assigned to the user.

    2. User 1 is removed from Group 1.

    Result: User 1 will only be able to login if she/he has directly been configured as a help desk technician. The user will no longer have the roles and permissions she/he initially derived from being a member of Group 1.

    3. Group 1 is disabled in the technicians list in ADManager Plus.

    Result: User 1 will be able to login only if he/she has been directly configured as a help desk technician. Otherwise, he/she will not be able to login.

    4. Group 1 is deleted from the technicians list in ADManager Plus.

    Result: User 1 will be allowed to login only if he/she has been directly configured as a help desk technician.

    5.Group 1 is deleted from Active Directory

    Result: User 1 will only be able to login only if he/she has directly been configured as a help desk technician.

    Frequently asked questions about group-based delegation:

    1. I have a user who is a member of two groups, Group A and Group B, with different roles delegated to them. What roles will the member user be able to perform?

    The user will have the roles of both Group A and Group B.

    2. I have enabled Impersonate as Admin for Group A and disabled it for Group B. What will happen to the user who is a member of both groups?

    The user will not be able to impersonate as admin. Disabling this option takes precedence over enabling it.

    3. While selecting OUs, if I select all OUs for Group A and specific OUs for Group B, which OUs will a user who is a member of both groups have access to?

    The user will be able to perform his/her roles in the specified OUs and not all OUs. When the selection of OUs is conflicting, precedence is given to the side with the least number of OUs.

    • Click Edit, provide the user with roles, and click Save.
    • Update the user's group membership details.

    5. How do you calculate licenses for group-based delegation?

    Licensing is based on the members of the group and not the group as a whole. All enabled users will be counted towards the licenses. Users without any roles delegated to them will be considered as disabled users and no licenses are required for them.

    6. I have added more users to Group A than the number of licenses I have available. In what order will these licenses be allocated to my users?

    The users who first login to the product will be assigned the licenses.

    7. Can technicians change default templates during user creation?

    Technicians who derive their roles from the groups that they are members of cannot modify default templates.