• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2051
  • Last Modified:

Delegate edit for specific user properties in MMC

I need to allow an administrative assistant the ability to update user properties in Active Directory for four tabs: General, Address, Telephones, and Organization.  I know that I should be able to use the delegation wizard, but I haven't been able to find the appropriate properties for 'Create a custom task'.  I've scanned through the DSSEC.DAT for the permissions, but there weren't many properties listed under the user heading.

Surely this specific customization has been done hundreds of times, why haven't I been able to find a single instance documented?  The examples for customized delegation I've found are almost all brainlessly simple--how to enable a locked-out account is the prime example.

Can anyone give concrete details on accomplishing my goal?  I'd prefer that only the four tabs listed for user properties display in the MMC, but I would accept  all the properties tabs, if only the specified data could be edited.

  • 3
  • 2
  • 2
  • +1
1 Solution

This might help you: (Taken from:  http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/delestep.mspx#XSLTsection124121120120  )

Variations to the Delegation Task

This section demonstrates the highest level of control that can be delegated in Active Directory?one operation that applies to objects of a certain type is delegated within a specific OU. Other variations include:

Instead of delegating a control right such as Reset Password, you may want to delegate ability to read/write telephone number attributes for all User objects to a group called Receptionist. If you implement this approach, the differences are:

You must use a custom delegation; the pre-defined ones do not suffice.

You must select the User object and choose Phone and Mail Options.

Additionally, to see property specific rights, you must select the Show General Permissions check box and clear the Show Property Permissions and Show creation/deletion of subobjects permissions check boxes. These check boxes allow you to see different types of rights that you can grant. Because the list of rights can be extremely large, these check boxes allow you to filter interesting rights.

Instead of delegating a control right such as Reset Password, you may want to delegate full access on all user objects to a group called NetAccounts. If you try this step-by-step guide, you must choose Full Control instead of Reset Password.

Note: This is a distinction from the delegation done to HRTeam for creation/deletion of user objects in the second example above. In this instance, you have delegated management of existing accounts to NetAccounts but they still can't create new accounts. HRTeam can create new accounts but do not manage them.

Another variation is to delegate ability to manage printers under Computer objects in the Print Servers OU to printer administrators, using the pre-defined delegation.

Hope this helps,

Daniel F.
david_reavesAuthor Commented:

I hadn't found that note specifically before, so it's somewhat helpful. The information you list is the general approach that I've tried, but for some reason the user/group member with the delegated User permissions still can't change the existing data.

The sequence I'm using is:

1) In MMC, as an Enterprise Admin, selecting the container to delegate.
2) Starting the Delegation of Control Wizard
3) Adding the group to have User Address/Phone editing.
4) Select Create Custom Task radio-button
5) Select Only following Objects...radio-button and subordinate User checkbox
6) With General permissions checkbox only, select "Read and Write General" and Read and write Phone and Mail"
7) Verified options and select finish.

What am I missing?
david_reavesAuthor Commented:
A little more detail...I've found that that the version of the MMC plug-in used to delegate is important. The process doesn't appear to work correctly on older versions, but does seem to work somewhat on the newest version availble when installing ADMINPAK.MSI on an XP Pro system. So far, it seems that the delgate must be using a current version of the MMC Active Directory plugin as well.

The catch now is that the delegation works as expected for SOME of the users in the relevant container.  Other users in the same container aren't delegated.

I'm trying to identify any differences between users that can be edited with the delegation versus users that may not be edited.  So far I haven't found anything.  Of course, this is an AD structure that I inherited so I don't know what may have been done in the past.  

Does anyone have something to add? If not, I will award partial points to the only reply, from DanniF--the approach is the appropriate way to delgate but it doesn't seem to be working completely in my environment.

David R.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Sorry for the long silence David, Ive been real busy.

Unfortunately though, I do not have any ideas for your problem.

Best of luck,

Daniel F.
This was posted in April, so you may have found your answer already.  If not, I've got the solution for you.  Today I was trying to the exact same thing, and after some fiddling with the permissions, I've got it figured out.  Let me know if you still havent solved this and I'll send you the information that I have.
david_reavesAuthor Commented:
We still haven't solved...it's became a low priority, so posting your results would be great!
In AD Users/Computers, select OU, and choose Delegate Control

Select the desired user or group
Select create a custom task to delegate
Select only the following objects in the folder, then scroll down the list and select User Objects only. Select the General, and Property Specific check boxes.  
In the list select the following options (R/W stands for Read and Write)

R/W Personal Information
R/W Title
R/W Manager
R/W Job Title
R/W Direct Reports
R/W Description
R/W Department
R/W Company

Select finish.

Select the OU again, and open properties.
Select the Security tab, find the user/group just added, and select advanced In the special permissions dialogue box select any of the allow attributes for the user/group edit it. Set Deny for the following objects R/W Terminal Server

The settings allow a user/group to modify the following user properties by tab:

General Tab:
Telephone Number

Address Tab:

PO Box
Zip/Postal Code


IP Phone


You could further more Deny Account Restrictions to prevent the group to change profile path and more.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now