Found a very useful way of providing users the ability to run administrative tasks without providing passwords to the users. By using the runas command you can launch programs with different credentials, however you need to enter a password. If you provide the user with the password then they could use it to do a lot of other things. Providing a user with a batch file helps, but it doesn’t take much brainpower to read the batch file and obtain the password. However, thanks to techtarget they suggest the use of Microsoft Script Encoder. This takes an existing vbs batch file and encodes the output. Although not pgp strength encryption it would be strong enough to deter the casual browser of your hard disk/batch files. (the only downside is providing a new file when the password to the account changes.)
Incidentally I’ve had to investigate this as one of our users can not admin our iis server settings despite being listed on the operators tab.