Currently we have over 25 domain administrators in our network. Some of them (e.g. Service desk) have been granted this privilege for the purpose of resetting passwords, unlocking users etc. The Network Manager claims that their access cannot be restricted and that they are planning to implement a web based solution that would provide an interface with limited menu items. I would like to confirm with the experts here that it is not possible to create various roles for different users.