I needed to delegate permissions to helpdesk (besides making them domain admins) to create and modify users, and modify group membership.  This is slightly different from some of the built in permission groups, since we didn’t want helpdesk to delete users.   185 more words