I read an article saying "If you have users who need to perform delegated administrative functions such as creating/modifying user accounts, install the administrative tools on their desktops and require them to work from there. Logging onto domain controllers should be restricted to Domain Admins only".
So on a workgroup XP (I didn't join to domain), I installed 2003 SP 2 Administration Tools Pack for x86 editions. The workstation is in the same subnet as DC, but I didn't join it todomain. I just open AD users and computers, type in domain name. surprisingly, I was able to delete user!! why???