One consideration is to add Helpdesk users into the ‘Account Operators’ group. This would effectively grant limited account creation privileges to those personnel. Members of this group can administer many types of accounts, including users, local, and global groups. Operators could also log on to domain controllers. Overall, this is a rather high level of access.
Account Operators “can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration.” (source: https:// docs.microsoft.com/en-us/previous-versions/tn-archive/cc875827(v=technet.10)?redirectedfrom=MSDN#XSLTsection124121120120).
Therefore, Administrators are advised to create a custom AD group for this purpose. I’ve written an article toward this topic here (https://blog.kimconnect.com/active-directory-helpdesk-admins-group-creation/)
