Delegation on Active Directory isn’t easy. A lot of us wil use the Method discribed here.
The problem with that way is that you are giving more rights then you might want.
You can not give delegate rights to on one group, unless you put o this one group in an Organisational Unit. But if you move the group, the rights are lost.
I will show you a way to set deleation on one group. Even if you move it to another OU, the permissions wil stay in the acl of the Group.
With delegate using the ADUC method, you can not delegate rights to only one Property on a Object. I will show you a way to give a group Write acces to only the Mail Attribute on every User in an Organasational Unit.
www.shellandco.net/playing-acl-active-directory-objects
A good start on how Active Directoy realy works and how to set it to your hands i recommend reading the following books.
Understanding and Deploying LDAP Directory Services (paperback), 2nd Edition By Timothy A. Howes, Mark C. Smith, Gordon S. Good
ISBN-10: 0-672-33446-1
ISBN-13: 978-0-672-33446-7
Inside Windows 2003 from William Bosswell and then espacially the Captial Understanding Active Directory Services.
ISBN-13: 978-0735711587
ISBN-10: 0735711585
This Capital you will find online at Informit.
Some good links to start reading. From a few af these wou will regonize parts of my scripts.
active-directory-delegation-via-powershell
playing-acl-active-directory-objects
understanding-active-directory-for-beginners-part-1
view-or-remove-active-directory-delegated-permissions