Hi,
Following information for your reference:
To reset user passwords
Right-click the OU > 'Delegate Control
At the Welcome dialog, click 'Next'.
At the Users or Groups dialog, click the 'Add...' button. You will be prompted to add a user or group to which you will apply delegated rights.
At the Select Users, Computers, and Groups dialog, either type the name of the object (use domain\username or domain\groupname for best results) or click 'Advanced'> 'Find' to locate your resource you wish to apply permissions to.
At the Tasks to Delegate dialog, you can select from a wide assortment of tasks to assign to your users.
Select 'Reset user passwords and force password change at logon' and click the 'Next' button.
To enable/disable user accounts :
Click the 'Create a custom task to delegate' radio button and click the 'Next' button.
At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:
Change Password Reset Password Read userAccountControl ,Write userAccountControl
To grant Active Directory unlock account permissions:
Choose Create a custom task to delegate and click Next.
Choose Only the following objects in the folder from the Delegate control of option.
Check the User objects option as the object to which to delegate.
Click Next to proceed.
Ensure Property-specific is checked.
Scroll to the Read lockoutTime permission and check Read lockoutTime and Write lockoutTime. The properties are sorted in alphanumeric order.
Click Next to proceed.
Review the changes and ensure the changes are correct.
Click Finish to save your changes and close the wizard.
To join, remove computers from domain
Create a Custom Task to delegate then click next.
Then select "only the following objects in the folder" then tick "computer objects" from list and also tick the two boxes at the bottom. "create selected object in folder" and "delete selected object in folder" click next.
On the next screen select "Full control" from the list then click next
To set up the AD Delegation Wizard for group management
With a right click on the OU he selects “Delegate Control …” to start the wizard.
Now he decides which rights the helpdesk gets. What is needed:
"Create, delete, and manage groups" ,"Modify the membership of a group"
Best Regards,