Long story short, I have a guy working on setting up a security group with rights to be able to manipulate user accounts.
I've backed up a bit off of my initial model of restricting their functionality.
They're users who want to be able to unlock user accounts and reset passwords but only on accounts that don't have domain admin level rights....ie regular user accounts.
I don't want them creating accounts, moving accounts into groups, etc. Just unlock...I'm even willing to sacrifice the reset password.
Something is behaving oddly and its not working quite right. The guy working on it is spinning his wheels and is about to call in reinforcements. He's a consultant.
This shouldn't be hard to do. He even had an issue with an account that was in the Account Operators group unlocking a locked account. Odd.