Hello
Thank you for posting in Q&A forum.
Active directory have permission page, it can allow you to control people to change/reset password or not.
For done this, you can open Active Directory Users and Computers. and move three level of user in different OU.
And then right click this 3 level OU >>> Properties >>> Security >>> Advanced >>> Add >>> Principal choose 1 level user >>> Type choose Deny >>> Applies to choose Descendant User Objects >>> Click Clear all at the end of the page >>> make sure Change password and reset password is been select >>> click ok and close permission page.
Now 1 level user can't change and reset password to 3 Level OU, you can follow this step to set the next permission
Best regards
Yanhong
=====================================
If the answer is helpful, please click "Accept answer" and upvote it