samba - Oct 2021 - role delegation

I would like to have a user with limited domain admin capabilities; 
namely the ability to add new users and add users to groups, with the 
ideal being to also able to help users reset their password and 
create/delete groups. But this user would not be able to create OU's, 
edit Group Policy, or do anything else other than work with users and 
groups.  Is such a thing even possible?

A related and much easier (let's call it dumb, should have RTFMed) 
quesetion, is what's involved in making other users full domain admins?

On Fri, 2021-10-29 at 16:34 -0500, Patrick Goetz via samba
wrote:
> I would like to have a user with limited domain admin capabilities; 
> namely the ability to add new users and add users to groups, with
> the 
> ideal being to also able to help users reset their password and 
> create/delete groups. But this user would not be able to create
> OU's, 
> edit Group Policy, or do anything else other than work with users
> and 
> groups.  Is such a thing even possible?
Are we talking about doing this on Linux ? if so you could create a
group and then give this group the privileges required. Run (as root):
net rpc rights list privileges -Uadministrator

For a complete list of the available privileges.
> 
> A related and much easier (let's call it dumb, should have RTFMed) 
> quesetion, is what's involved in making other users full domain
> admins?
You gave the answer yourself, add the user to the Domain Admins group
(or Administrators)

Rowland