Grant permission in Active Directory to add users / modify / changed password / add them to group them but not delete them

To delegate permission for a domain user to:

• add new users to container
• change password
• modify group membership
• modify users properties (such as email / name etc)
• move users between OU's

I had to create 2 groups as Delegation Wizard wouldn't let me specify what to choose on each User object when I choose more then User object. So I decided to create 2 groups. One for user management and one for group management.

First one required this steps:

• Right click on container and choose Delegate Control
• When Delegation Wizard opens up click Next
• On another page choose group you want to give permissions to and press Next
• On next page Create a custom task to delegate and choose Next
• Choose Only the following objects in the folder and go to the bottom of the list and choose User objects. Choosing anything more then just one entry will not give you possibility of granular choice of properties to change.
• Make sure to have Create selected objects in this folder checked and press Next

• Choose:

  • Read All Properties
  • Write All Properties
  • Read and write general information
  • Read and write logon information
  • Read and write phone and mail options
  • Read and write web information
  • Read and write Terminal Server license server
  • Read and write remote access information
  • Change password
  • Reset password

This allows to create user and enable / disable user but not delete it. At this moment user isn't able to change group membership as this has to be done differently.