I've set up access for our helpdesk to be able to reset passwords and unlock accounts on user object OUs on my active directory. I used this article for the account unlocking and did something similar for resetting passwords.
This seems to work correctly for pretty much all user accounts. However there is a small group of accounts that they still cannot reset the passwords for. It looks to me like the group they cannot reset the password for are Domain Admins. Does anyone know if this is a design feature in Active Directory or if it is just that I haven't delegated the account rights correctly? My domain controllers run Windows Server 2003 Sp1.