I want to allow a user to run setspn on service accounts and other specific user accounts. This person is not a domain admin and we don't want to add him at this time. He is a member of a global group we created to allow him and one other person to modify spn's. what security permissions do I need to set on the group to allow this? I have already read the article athttp://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx but that only tells me how to set permissions to modify SPNs on computer object and not user objects.
I found a post at this - http://social.technet.microsoft.com/Forums/en/winserverDS/thread/1262a5f8-20da-4df2-8ced-42529ece89fa - but again, no information as to how to configure permissions to run setspn for service\user accounts.
Does anyone know the permissions to set on the group account to allow this?