Solved

Delegate edit for specific user properties in MMC

Posted on 2004-04-21
8
2,000 Views
Last Modified: 2012-08-13
I need to allow an administrative assistant the ability to update user properties in Active Directory for four tabs: General, Address, Telephones, and Organization.  I know that I should be able to use the delegation wizard, but I haven't been able to find the appropriate properties for 'Create a custom task'.  I've scanned through the DSSEC.DAT for the permissions, but there weren't many properties listed under the user heading.

Surely this specific customization has been done hundreds of times, why haven't I been able to find a single instance documented?  The examples for customized delegation I've found are almost all brainlessly simple--how to enable a locked-out account is the prime example.

Can anyone give concrete details on accomplishing my goal?  I'd prefer that only the four tabs listed for user properties display in the MMC, but I would accept  all the properties tabs, if only the specified data could be edited.

Thanks!
0
Comment
Question by:david_reaves
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Accepted Solution

by:
DanniF earned 500 total points
ID: 10880797
Hi,

This might help you: (Taken from:  http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/delestep.mspx#XSLTsection124121120120  )

Variations to the Delegation Task

This section demonstrates the highest level of control that can be delegated in Active Directory?one operation that applies to objects of a certain type is delegated within a specific OU. Other variations include:
?      

Instead of delegating a control right such as Reset Password, you may want to delegate ability to read/write telephone number attributes for all User objects to a group called Receptionist. If you implement this approach, the differences are:
?      

You must use a custom delegation; the pre-defined ones do not suffice.
?      

You must select the User object and choose Phone and Mail Options.
?      

Additionally, to see property specific rights, you must select the Show General Permissions check box and clear the Show Property Permissions and Show creation/deletion of subobjects permissions check boxes. These check boxes allow you to see different types of rights that you can grant. Because the list of rights can be extremely large, these check boxes allow you to filter interesting rights.
?      

Instead of delegating a control right such as Reset Password, you may want to delegate full access on all user objects to a group called NetAccounts. If you try this step-by-step guide, you must choose Full Control instead of Reset Password.

Note: This is a distinction from the delegation done to HRTeam for creation/deletion of user objects in the second example above. In this instance, you have delegated management of existing accounts to NetAccounts but they still can't create new accounts. HRTeam can create new accounts but do not manage them.
?      

Another variation is to delegate ability to manage printers under Computer objects in the Print Servers OU to printer administrators, using the pre-defined delegation.


Hope this helps,

Daniel F.
0
 

Author Comment

by:david_reaves
ID: 10881214
Daniel,

I hadn't found that note specifically before, so it's somewhat helpful. The information you list is the general approach that I've tried, but for some reason the user/group member with the delegated User permissions still can't change the existing data.

The sequence I'm using is:

1) In MMC, as an Enterprise Admin, selecting the container to delegate.
2) Starting the Delegation of Control Wizard
3) Adding the group to have User Address/Phone editing.
4) Select Create Custom Task radio-button
5) Select Only following Objects...radio-button and subordinate User checkbox
6) With General permissions checkbox only, select "Read and Write General" and Read and write Phone and Mail"
7) Verified options and select finish.

What am I missing?
0
 

Author Comment

by:david_reaves
ID: 10910298
A little more detail...I've found that that the version of the MMC plug-in used to delegate is important. The process doesn't appear to work correctly on older versions, but does seem to work somewhat on the newest version availble when installing ADMINPAK.MSI on an XP Pro system. So far, it seems that the delgate must be using a current version of the MMC Active Directory plugin as well.

The catch now is that the delegation works as expected for SOME of the users in the relevant container.  Other users in the same container aren't delegated.

I'm trying to identify any differences between users that can be edited with the delegation versus users that may not be edited.  So far I haven't found anything.  Of course, this is an AD structure that I inherited so I don't know what may have been done in the past.  

Does anyone have something to add? If not, I will award partial points to the only reply, from DanniF--the approach is the appropriate way to delgate but it doesn't seem to be working completely in my environment.

David R.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 6

Expert Comment

by:DanniF
ID: 10917739
Sorry for the long silence David, Ive been real busy.

Unfortunately though, I do not have any ideas for your problem.

Best of luck,

Daniel F.
0
 

Expert Comment

by:siexton
ID: 11907725
This was posted in April, so you may have found your answer already.  If not, I've got the solution for you.  Today I was trying to the exact same thing, and after some fiddling with the permissions, I've got it figured out.  Let me know if you still havent solved this and I'll send you the information that I have.
0
 

Author Comment

by:david_reaves
ID: 11907968
We still haven't solved...it's became a low priority, so posting your results would be great!
0
 

Expert Comment

by:siexton
ID: 11914498
In AD Users/Computers, select OU, and choose Delegate Control

Select the desired user or group
Select create a custom task to delegate
Select only the following objects in the folder, then scroll down the list and select User Objects only. Select the General, and Property Specific check boxes.  
In the list select the following options (R/W stands for Read and Write)

R/W Personal Information
R/W Title
R/W Manager
R/W Job Title
R/W Direct Reports
R/W Description
R/W Department
R/W Company

Select finish.

Select the OU again, and open properties.
Select the Security tab, find the user/group just added, and select advanced In the special permissions dialogue box select any of the allow attributes for the user/group edit it. Set Deny for the following objects R/W Terminal Server

The settings allow a user/group to modify the following user properties by tab:

General Tab:
Description
Office
Telephone Number

Address Tab:

Street
PO Box
City
State/Province
Zip/Postal Code
Country/Region

Telephones:

Home
Pager
Mobile
Fax
IP Phone
Notes

Organization:

Title
Department
Company
Manager
0
 

Expert Comment

by:LaaZ
ID: 26144455
You could further more Deny Account Restrictions to prevent the group to change profile path and more.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question