Allow technicians to unenroll user accounts from ADSelfService Plus
When employees leave an organization, their Active Directory account needs to be cleaned up and secured. The employees’ user account must be protected and, after a while, purged from the system. We suggest that all separated employees’ user accounts be disabled and moved to a secure organizational unit (OU). When appropriate, the user accounts’ group membership should also be removed. (NOTE: Making a screen capture of the group membership is a good idea before doing this!)
Often, managers and other coworkers need to access emails and other resources owned by the user account, so the account must remain intact. Since the user acccount can’t be immediately deleted, there might be other systems, such as ADSelfService Plus, Office 365, and more that need to have that user account deactivated so it is no longer taking up a license.
With regard to ADSelfService Plus, you can either have the Super Admin or an Operator (both types of technicians) unenroll user accounts. The Super Admin has this privilege by default, which makes sense as a Super Admin. However, the Operator does not have this capability. In order for you to allow Operators to disenroll (deactivate) user accounts, the following steps must be performed:
Read the entire article here, Allow technicians to unenroll user accounts from ADSelfService Plus
via the fine folks at ManageEngine