[Zope] Non-manager user administrators?

[Keating, Tim]

I want to give certain users the ability to create, delete and change the
password for users in general, without making full-blown managers. Anyone
know of a way to do this? You can create a role and restrict its access to
the acl_users folder, but since they can create users, they can just create
one with the manager role and circumvent the whole thing.

Am I stuck with creating a page that uses the Zope API to provide this
functionality?

Thanks for any input!
TK