You would run through the SecurityAssist wizard to create the front end removing the access group field from the registration and user update pages, then you would update the login page so that the userUserLevelID is also stored in the session.
Then you could limit access in the secruity assist rules to check that session variable to give specific privilages to specific groups.
Then use DataAssist to create a set of insert/update pages to allow the admin to set the user group from a list using the userlevel table to populate the select list where you choose the userid.