This took me forever to figure out, but I finally found a solution to this.
If you've got the second edition of the book, take a look at the bottom of page 85. The paragraph under the bullets instructs you to add Domain Users to the Print Operators group. Turns out that explicit memberships to Builtin Domain Local Security
groups override delegated permissions from other groups (i.e. Global security groups, such as Help Desk). Therefore, when you're logging in as Barbara Mayer, the system is seeing her as a Print Operator and not Help Desk. When you try to reset
a user's password, the system doesn't even pull up her Help Desk permissions.
The solution is to add both Help Desk and Print Operators to the list when using the Delegate Control menu as Administrator to give permissions to reset user passwords in the User Accounts OU. Instead of just adding Help Desk, add Help Desk AND Print
Operators. Worked like a charm for me.
The reason this isn't such a big deal in production is because you would almost never add someone to the Print Operators group and then have that user logon directly to the DC.
Good luck!
-Brandon
