|
Might be better if you give that specific user "Account Operator" rights. Make sure he has no physical acces to the AD tho. Also in the tool, the tool checks for the user who opens it "if @userid = thisperson".
To contradict NTDOC a bit, I manage networks on quite a few schools, on every school I give the head teacher "Account Operator" rights and give him 2 tools, 1 for resetting passwords (only of teacher and students) and one for creating users (again only with teacher and student rights).
Besides that I do not allow him to log onto the server not physical and with terminal services I created a loopback policy for teachers so that they can't do anything network wise on the server.
| 
