I have a user I want to be able to disable or enable other domain user accounts without giving that user to much permissions. I spent some time Googling and on Microsoft’s support site and couldn’t find a specific permission that allowed just that. I found one that allows you to delegate the ability to unlock a user account. After playing with this for a couple of hours I grew to appreciate the complexity and power Active Directory gives an administrator over a domain. What I finally ended up using was a permission that allows for the user to enable/disable as well as change anything in the account options window on the Account tab. A bit more than I wanted to give, but not a problem in my case.
Right-click your domain and select delegate control. The delegate control wizard starts, click next to begin. Next select the users or groups that you want to delegate the responsibility to. In my case I have a group called “DisableEnableUsers” that I want to give the ability to disable/enable user accounts.
Next select create custom task to delegate radio button and hit next. On the “Delegate control of:” dialog select “Only the following objects” and scroll down to “User Objects” hit next. Put a check in the “General” box on the “Show these permissions:” window. Scroll down to the “Read and Write Account Restrictions.” Hit next and finish.
Now the users and or groups you delegated control to “Read and Write Account Restrictions” will be able to disable or enable user accounts.