So recently we had to tidy up the delegation given to our helpdesk concerning their abilities over user accounts. Frankly the AD group 'Account Operators' gave them too much power. The requirements were (only):
Set the 'User must change password at next logon'
Any other account functions are the responsibility of the 'user provisioning and security' team. The resetting of passwords and setting of the password flag is an easy straightforward delegation in AD. However the 'unlock accounts' is more complex. Prior to Windows 2008 domains, you had to first expose the attribute in ADUC by editing the 'dssec.dat' file inside \windows\system32 using the following method:
I'm going to focus on Windows 2008.
This is now exposed in the advanced ACL of an object or OU. Here's a screenshot:
Note: You will not see these attributes unless you select descendant user objects.