>Hm, if a domain admin has already to much rights for your purposes you could either create a own global group and stuff it with the needed rights like Ed proposed or make the guy a member of "server operators" which would grant him the right to alter users.
Hi Markus - I understand the Global group idea, but I can't administer those, either. Only a few central LAN Security techies can administer Globals, so I would be right where my system admin buddy is now, having to call LAN every time I need a change made, and no one likes that :) So, I'm restricted to using Local domain groups (which I like, really, it's a more "encapsulated" environment).
A Server Operator can't administer local groups at all, from my testing. Not sure if that's NT Server standard or whether my agency has customized it. The people who set our NT Server network standards up are long gone now, and no one seems to know much about these issues that are now important with new security policies.
I haven't tested "Account Operator" yet, that's another possibility I will look at after the holidays, maybe some combination of access levels can work...
The Anonymous Bureaucrat,
and frankly, quite content not to be
a member of either major US political party.