Hi, In a win2k3 domain I want to assign only the domain user's password reset rights to a user, I don't want this user to even view the group policy of the organizational unit. And if possible the other properties of the user object, I want only the password reset option available or something very restrictive. Regards

Huh, can you rephrase it or am I to slow to understand this question? Holy Wow.

you can set each user to have the ability to renew their own password and you can also force the user to reset their password when they login the next time. This is all done in the Active Directory/User Properties/Account Tab/Account Options.

Off course I can rephrase it, I want to create an admin user who can reset passwords of other users in any Organizational unit using dsa.msc. But this admin user should not be able to view the group policies or perform any other action except this password reset. Its better I hope :-)

You can delegate admin rights to users. Open ADUC and right click on the OU. You'll have to do this per OU if you have several. Select Delegate Control. Go through the wizard. There is an option there that will only allow the resetting of passwords. Good luck.