How to: create group that can only add/mod/del users in AD

[John K]

How do I create a group that can ONLY add/modify/delete
users in AD? The user CANNOT have rights to login to the
system. Can this be done through something called "Service
Login???"
Thanks

 

[Paul Bergson]

You need to be able to authenticate (Login) to the system before you are
given security access tokens. It doesn't matter if you login via a console
or a service. You could limit which machines an id could logon to if that
is of any assistance.

 

[John K]

Here's a breakdown of what I'm trying to accomplish.
I want a script/program to be able to connect to a remote
system and add/del/mod user accounts in AD.

Now, the script/program needs to some how authenticate on
the remote system to do its stuff. What's the best way?
I'm thinking of having a user created that is deligated
the task of managing accounts.

I DON'T want this user account to be used to log in
anywhere. Only used by my script/program to do its job.

I was told that a "service user" can do be used.