I have been preaching for years about how powerful Active Directory is in the ability to delegate control over certain tasks and certain objects in Active Directory. One of the most obvious delegations is giving a one group of users the ability to reset passwords for a different group of users. There are a few issues using the Microsoft solution, and those issues can cause insecure settings, hard-to-report delegations, and access to AD that is hard to find and remove