This information is to provide rights to unlock accounts in a OU or domain for a user WITHOUT giving any other administrative rights. so here is how to do it?
- Right-click the OU or domain in Active Directory Users and Computers console and select Delegate Control from the context menu
- Click Next on the Welcome dialog
- Click Add to select the user or group and click OK
- Click Next
- Select Create a custom task to delegate and click Next
- Select Only the following objects in the folder. In the list, check User objects and click Next
- Clear the General checkbox and check the Property-specific box
- Check both the Read lockoutTime and Write lockoutTime boxes and press Next and Finish button.