I'm trying to delegate control to a specific AD Security Group so they can reset passwords for users within a specific OU. I ran the Delegation of control wizard, added the group, did everything custom and followed the directions perfectly as described here:
Problem is, the users in that group can't actually do it. The box is disabled for forcing the password to expire, and trying to reset the password produces access denied.
I'm doing the change from a Vista machine with the RSAT tools. I have verified the permissions on the Security tab on the OU after making the change. I ran a gpresult from the machine, and it is properly seeing the user in the necessary group.
I notice on Windows Server 2003, I can't see the security tab on an OU. I tried removing the rights from the Vista RSAT, then adding on the Server 2003. When that occurs, I can see the permissions from my Vista machine so I know they are propogating properly.
Any ideas how I can debug where the problem lies?