WS02 Identity Server Active Directory Permissions -

i'm working company partner working on implementation of ws02 our site. mentioned ad user account created them (which @ point in time standard, non-admin user account) needs have write permissions, user account can reset passwords.

the question have is, which permissions in ad account need granted? when scanned through ws02 administration guide, found vague references account needing "read/write permission."

ideally, i'd either use 'delegate control' wizard, or advanced security window grant:

• reset password: to...you know...reset user object's password
• read lockout time: read if account locked out
• write lockout time: set lockout time 0, unlocking account
• read useraccountcontrol: [optional] see if account disabled
• write useraccountcontrol: [optional] disable/enable account

call me paranoid, i'd rather assign selective/granular permissions so, rather give account domain admin level permissions.

help?