There are a lot of articles on this and I got it all to work using 2 servers.
I loaded RSAT (just the "AD DS and AD LDS Tools" i.e. MMC) on a standalone server2008R2 with a user login (call it pwdhelpdesk / group "Users"). I created the same user (pwdhelpdesk / Group "Domain Users") on the DC and went through all the "Delegate Control" stuff using this article. http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/3f0dbf8e-636b-45fe-93db-f788d5b976fd/
I then tied the 2 servers together using this article http://technet.microsoft.com/en-us/library/dd759202.aspx
Back on the standalone server log in as "pwdhelpdesk" -> start MMC -> load the ADUC snap-in -> select ""Connect to Domain..." = the current source user "pwdhelpdesk" goes over to the DC as remote user "pwdhelpdesk" with "Delegated Control" for only password reset / unlock account. - PERFECT
NOW TO SET UP MY QUESTION: However - when "pwdhelpdesk" logs directly onto the DC - when attemping to run MMC or ADUC - the User Access Controls deny the ability. Some articles say make "pwdhelpdesk" a member of Backup Operators, or Server Operators or even disable UAC. None of these seem any good at all.
THE QUESTION: Can a non-admin (Domain User) be configured precisely / surgically to execute MMC or ADUC on a DC? Please don't say it is not recommended for users to log in to a DC. I just want to know if it is possible - so I can be thorough in my "help desk reset password / unlock account" architectural report to management.
BTW: I prefer the 2 server method - The standalone can run TS and multiple user CAL Licenses and act as a sort of Jump Host.
Thank you.