Need specific pw reset restriction in Active Directory

So right now anyone in our help desk can reset the AD password to any account, including domain admins. How can I make it so that they can rest passwords for standard users, but only sysadmins can rest the passwords of other sysadmins? (Also looking to do the same thing with adding to groups tbh) Thank you!

AD accounts with elevated permissions (e.g. Domain Admins, Enterprise Admins, Schema Admins, etc.) would be members of the Protected Users group (make sure to review Microsoft's warnings on what that will do) which does several things, including preventing delegation (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group).

The answer is you need to design a good AD structure so that user objects for which help desk individuals should be allowed to reset user passwords should be in Organization Units (OUs) where the help desk individuals have delegated permissions for "Reset user passwords and force password change at next logon" on the OUs where the user objects for which they are allowed to change passwords are located.

Another approach is to create a security group that will be delegated the "Reset user passwords and force password change at next logon" permission. Add the help desk accounts to the security group. Identify the OUs where users are located that the help desk accounts should be allowed to reset their passwords. On each of the aforementioned OUs, delegate the "Reset user passwords and force password change at next logon" right to the security group you created.