Delegated Administration

This is an under used area of sfdc security features that can be useful to dole out user administrative privileges:

Your Name > Setup > Administration Setup > Security Controls > Delegated Administration

Here you can create delegated groups and assign users to the delegated group. Within the group you're able to control which part of the role hierarchy they are allowed to have user administration over as well as define which profiles they are allowed to assign (make sure not to make any sys admin profiles available to be assigned).

For example, you have regional operations personel that would like to manage users in their particular region, say North America.  You can create an NA delegated group and add the NA portion of the role hierarchy to that group, and then assign the regional operations person to the group.  Can also limit which profiles they can assign to those users.

An addition aspect to this is the ability to grant them administration privileges to certain custom objects.  They would be able to customize nearly all aspects of the particular custom object which has been granted.  The only thing they can't do is modify relationships on the object or make modifications to the org wide sharing defaults for the object.

Note, a user can be part of more than one delegated group, so the privileges are stackable.