Privileges for resetting password, changing password, unlocking account, and read profile

view story

http://serverfault.com – I have made a service that has the capability to reset, changes passwords, unlock a locked out account, and read AD profile values (e.g. sn, firstname etc) of some domain user after the user verifies himself through phone. On the target domain server, there exists a privileged account who is capable of doing these tasks. I use .NET framework Directory Services API and use the privileged account to perform tasks. So far, my privileged account was basically a domain admin and was capable of doing way more then required. Now, as the part of trial runs, I need to know the exact policies I need to (HowTos)