Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Delegate edit for specific user properties in MMC

Posted on 2004-04-21
Medium Priority
Last Modified: 2012-08-13
I need to allow an administrative assistant the ability to update user properties in Active Directory for four tabs: General, Address, Telephones, and Organization.  I know that I should be able to use the delegation wizard, but I haven't been able to find the appropriate properties for 'Create a custom task'.  I've scanned through the DSSEC.DAT for the permissions, but there weren't many properties listed under the user heading.

Surely this specific customization has been done hundreds of times, why haven't I been able to find a single instance documented?  The examples for customized delegation I've found are almost all brainlessly simple--how to enable a locked-out account is the prime example.

Can anyone give concrete details on accomplishing my goal?  I'd prefer that only the four tabs listed for user properties display in the MMC, but I would accept  all the properties tabs, if only the specified data could be edited.

Question by:david_reaves
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1

Accepted Solution

DanniF earned 1500 total points
ID: 10880797

This might help you: (Taken from:  http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/delestep.mspx#XSLTsection124121120120  )

Variations to the Delegation Task

This section demonstrates the highest level of control that can be delegated in Active Directory?one operation that applies to objects of a certain type is delegated within a specific OU. Other variations include:

Instead of delegating a control right such as Reset Password, you may want to delegate ability to read/write telephone number attributes for all User objects to a group called Receptionist. If you implement this approach, the differences are:

You must use a custom delegation; the pre-defined ones do not suffice.

You must select the User object and choose Phone and Mail Options.

Additionally, to see property specific rights, you must select the Show General Permissions check box and clear the Show Property Permissions and Show creation/deletion of subobjects permissions check boxes. These check boxes allow you to see different types of rights that you can grant. Because the list of rights can be extremely large, these check boxes allow you to filter interesting rights.

Instead of delegating a control right such as Reset Password, you may want to delegate full access on all user objects to a group called NetAccounts. If you try this step-by-step guide, you must choose Full Control instead of Reset Password.

Note: This is a distinction from the delegation done to HRTeam for creation/deletion of user objects in the second example above. In this instance, you have delegated management of existing accounts to NetAccounts but they still can't create new accounts. HRTeam can create new accounts but do not manage them.

Another variation is to delegate ability to manage printers under Computer objects in the Print Servers OU to printer administrators, using the pre-defined delegation.

Hope this helps,

Daniel F.

Author Comment

ID: 10881214

I hadn't found that note specifically before, so it's somewhat helpful. The information you list is the general approach that I've tried, but for some reason the user/group member with the delegated User permissions still can't change the existing data.

The sequence I'm using is:

1) In MMC, as an Enterprise Admin, selecting the container to delegate.
2) Starting the Delegation of Control Wizard
3) Adding the group to have User Address/Phone editing.
4) Select Create Custom Task radio-button
5) Select Only following Objects...radio-button and subordinate User checkbox
6) With General permissions checkbox only, select "Read and Write General" and Read and write Phone and Mail"
7) Verified options and select finish.

What am I missing?

Author Comment

ID: 10910298
A little more detail...I've found that that the version of the MMC plug-in used to delegate is important. The process doesn't appear to work correctly on older versions, but does seem to work somewhat on the newest version availble when installing ADMINPAK.MSI on an XP Pro system. So far, it seems that the delgate must be using a current version of the MMC Active Directory plugin as well.

The catch now is that the delegation works as expected for SOME of the users in the relevant container.  Other users in the same container aren't delegated.

I'm trying to identify any differences between users that can be edited with the delegation versus users that may not be edited.  So far I haven't found anything.  Of course, this is an AD structure that I inherited so I don't know what may have been done in the past.  

Does anyone have something to add? If not, I will award partial points to the only reply, from DanniF--the approach is the appropriate way to delgate but it doesn't seem to be working completely in my environment.

David R.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Expert Comment

ID: 10917739
Sorry for the long silence David, Ive been real busy.

Unfortunately though, I do not have any ideas for your problem.

Best of luck,

Daniel F.

Expert Comment

ID: 11907725
This was posted in April, so you may have found your answer already.  If not, I've got the solution for you.  Today I was trying to the exact same thing, and after some fiddling with the permissions, I've got it figured out.  Let me know if you still havent solved this and I'll send you the information that I have.

Author Comment

ID: 11907968
We still haven't solved...it's became a low priority, so posting your results would be great!

Expert Comment

ID: 11914498
In AD Users/Computers, select OU, and choose Delegate Control

Select the desired user or group
Select create a custom task to delegate
Select only the following objects in the folder, then scroll down the list and select User Objects only. Select the General, and Property Specific check boxes.  
In the list select the following options (R/W stands for Read and Write)

R/W Personal Information
R/W Title
R/W Manager
R/W Job Title
R/W Direct Reports
R/W Description
R/W Department
R/W Company

Select finish.

Select the OU again, and open properties.
Select the Security tab, find the user/group just added, and select advanced In the special permissions dialogue box select any of the allow attributes for the user/group edit it. Set Deny for the following objects R/W Terminal Server

The settings allow a user/group to modify the following user properties by tab:

General Tab:
Telephone Number

Address Tab:

PO Box
Zip/Postal Code


IP Phone



Expert Comment

ID: 26144455
You could further more Deny Account Restrictions to prevent the group to change profile path and more.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question