Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Delegate control in Active Directory

Posted on 2003-11-03
12
Medium Priority
?
481 Views
Last Modified: 2010-04-14
I want to delegate control to a group of users so they can change the "Notes" field in the "Telephones" tab in a users properties sheet in Active Directory.

I was able to delegate control of other tasks but I can't find anything regarding allowing my group to write the "note" field.
The property "note" is shown in ADSIEdit as "info".
I have an application I wrote that makes the change to objUser.info. It works fine from the admin account but for the group of delegated users it fails when it tries writing the change with the line: objUser.setInfo, right after changing the info field.

This is how the code looks:

objUser.info = "User was Un-Blocked"
objUser.setInfo

Does anyone know anything extra about delegating control of AD objects ?

Thanks.
0
Comment
Question by:chayahd99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 4

Expert Comment

by:Vinnnnie
ID: 9671494
Is this Windows 2000 Server or 2003 Server?
0
 

Author Comment

by:chayahd99
ID: 9671623
Windows 2000 Server
0
 
LVL 4

Expert Comment

by:Vinnnnie
ID: 9671711
Well, I took a look at my help files and take a look at this URL:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/addeladm.asp

Seems to cover what you need to but I have not done that yet.
0
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

 
LVL 85

Accepted Solution

by:
oBdA earned 600 total points
ID: 9672004
You'll need to edit the dssec.dat file in %SystemRoot%\system32 which filters most security properties. You should then be able to add the right to edit the note field to your delegated group.
How to Modify the Filtered Properties of an Object
http://support.microsoft.com/?kbid=296490

Here's how it works for "unlock account"; your procedure should be about the same, all you have to do is to find the proper entry for the "Notes" field ... ;)
How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952
0
 

Author Comment

by:chayahd99
ID: 9676657
Thank you oBdA,

Those two articles explain exactly what I need, but in the dssec.dat file I couldn't find a property named UserInfo or anything similar.

How can I find that particular attribute that I'm looking for?

In "Active Directory Users & Computers" MMC it's called note and in AdsiEdit it's called info.
0
 

Author Comment

by:chayahd99
ID: 9676869
One more thing:

As a temporary test, I went threw the "Delegate Control" wizard and let my group have "read all properties" & "write all properties".
This solved the problem for now, but it is only a temporary solution, since I don't want to give them the right to change all properties.

Please tell me what the "info" property is called in the "dssec.dat" file.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9681516
This seems indeed to be a wee bit difficult ...
I'll continue to look for it, but it might take some time.
0
 

Author Comment

by:chayahd99
ID: 9684811
Thanks alot. I'll keep on looking threw other sources also.
0
 

Author Comment

by:chayahd99
ID: 9685356
The problem solved itself, some how, I'm not sure how.

I love Microsoft...
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9685439
Well, glad it's working now; but could you elaborate on the "solved itself" part? I got interested myself on where to find this certain property ...
0
 

Author Comment

by:chayahd99
ID: 9685487
I didn't change the property in the "dssec.dat" file, because I didn't find it there.

As i wrote above, as a temporary test, I went threw the "Delegate Control" wizard and let my group have "read all properties" & "write all properties".
Since I couldn't leave it that way, I changed it back so my group has only the specific rights that they need and then when I tested my application I saw that I do not get the errors anymore.

Beauty !!!

In the past, I found cases where something didn't work, but when I changed a property (or whatever) and then changed it back to the way it was, it started working. Just like turning the computer off and on...
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9685534
Oh well; I guess there are some things that just aren't meant to be understood. Thanks for the information.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question