How to give a user adminrights for users and groups only?

How can I give user the rights to administer users and groups and nothing else?

If I make him member of the group “Account Operators” and try to loging I get the error: “There is no module available for the authenticated user”

I would also very much like to know that. For example, the secretary can only create trainees.

Bumping this.
Any update on this? It seems you must be a domain admin to do anything. Do not want to give that much control to someone that is just helping create accounts.