I have a guy who I want to grant ONLY the ability to change user passwords in AD.
i.e. he can login to the AD server, open Active Directory Users and Computers, and change a user's password. But I don't want him to have any other ability to do anything else in AD.
The point here is that he's my helpdesk guy, and ocassionally users need their passwords to be reset. I want him to be able to do that, but nothing else.
How do I do this??