I have a windows 2000 server. Actually I have many of them. I have a help desk. Now the help desk has almost domain admin rights. I have users that forget their password a lot so we let the help desk unlock them and reset their password and all. I also have a group of about 355 people that have the same rights as the helpdesk. Except when they lock themselves out the help desk can not unlock them and they have to call me and my 5 man team. Is there a way I can give the help desk permission to unlock all type of accounts without giving them domain admins?