Delegate control in Active Directory

I want to delegate control to a group of users so they can change the "Notes" field in the "Telephones" tab in a users properties sheet in Active Directory.

I was able to delegate control of other tasks but I can't find anything regarding allowing my group to write the "note" field.
The property "note" is shown in ADSIEdit as "info".
I have an application I wrote that makes the change to It works fine from the admin account but for the group of delegated users it fails when it tries writing the change with the line: objUser.setInfo, right after changing the info field.

This is how the code looks: = "User was Un-Blocked"

Does anyone know anything extra about delegating control of AD objects ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is this Windows 2000 Server or 2003 Server?
chayahd99Author Commented:
Windows 2000 Server
Well, I took a look at my help files and take a look at this URL:

Seems to cover what you need to but I have not done that yet.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

You'll need to edit the dssec.dat file in %SystemRoot%\system32 which filters most security properties. You should then be able to add the right to edit the note field to your delegated group.
How to Modify the Filtered Properties of an Object

Here's how it works for "unlock account"; your procedure should be about the same, all you have to do is to find the proper entry for the "Notes" field ... ;)
How To Delegate the Unlock Account Right

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chayahd99Author Commented:
Thank you oBdA,

Those two articles explain exactly what I need, but in the dssec.dat file I couldn't find a property named UserInfo or anything similar.

How can I find that particular attribute that I'm looking for?

In "Active Directory Users & Computers" MMC it's called note and in AdsiEdit it's called info.
chayahd99Author Commented:
One more thing:

As a temporary test, I went threw the "Delegate Control" wizard and let my group have "read all properties" & "write all properties".
This solved the problem for now, but it is only a temporary solution, since I don't want to give them the right to change all properties.

Please tell me what the "info" property is called in the "dssec.dat" file.
This seems indeed to be a wee bit difficult ...
I'll continue to look for it, but it might take some time.
chayahd99Author Commented:
Thanks alot. I'll keep on looking threw other sources also.
chayahd99Author Commented:
The problem solved itself, some how, I'm not sure how.

I love Microsoft...
Well, glad it's working now; but could you elaborate on the "solved itself" part? I got interested myself on where to find this certain property ...
chayahd99Author Commented:
I didn't change the property in the "dssec.dat" file, because I didn't find it there.

As i wrote above, as a temporary test, I went threw the "Delegate Control" wizard and let my group have "read all properties" & "write all properties".
Since I couldn't leave it that way, I changed it back so my group has only the specific rights that they need and then when I tested my application I saw that I do not get the errors anymore.

Beauty !!!

In the past, I found cases where something didn't work, but when I changed a property (or whatever) and then changed it back to the way it was, it started working. Just like turning the computer off and on...
Oh well; I guess there are some things that just aren't meant to be understood. Thanks for the information.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.