I am in the process of setting up a taskpad to allow a few people at our office to reset user passwords and enable user accounts that are disabled (locked). I went through the delegate control wizard on the OU with the accounts and gave the permission to reset passords to the people who need them. I then went through a document that explained how to create a taskpad and did that. I installed the AD parts of the admin pack (server 2003) on the computers that the "password resetters" are using. This seems to work - the PCs are XP Pro SP2 and its a Windows 2008 SBS environment they need to manage. I have 2 issues though.
1) If a user launches any of the AD tools (instead of the taskpad I created), they are blocked from doing almost everything (that I tested anyway). For instance, the cannot force a replication between DCs or raise the functional leves of the domain or forest. However, they CAN create computers and users even though I specifically DID NOT grant that permission in the delegation wizard on that OU.
2) They CANNOT enable a disabled user account.
I went back through the delgation of control wizard again, and didn;t see anything intuitive to answer #2, and I assume that I can just remove the people from the security tab and start over to delete any existing permissions to the OU to fix #1, but I still want to make sure these people ONLY have the perrmissions to reset passwords and enable disabled accounts