Delegate Token Management
In the “Administrative Groups” dialog, you can select a security group whose users will be allowed to program and import new YubiKeys, Provision OATH Tokens, and assign/reassign tokens to users. This is a very powerful permission since these admins can mint their own 2-factor tokens for any user, but of course less powerful than making them Domain Admins.
You can also select a security group whose users will be allowed to see the OTP of Recovery tokens. This can allow a help desk worker to assist a user to access their offline workstation for example, without giving that worker a more powerful access.