Changes to users and groups are part of day-to-day business.
Such tasks are naturally suitable for delegation. Unfortunately, security requirements stand in your way.
How would it be if Service Desk or the departments themselves could make changes to selected user properties and group memberships – without requiring administrative rights to the Active Directory? The changes must be traceable.