Solved

Delegate edit for specific user properties in MMC

Posted on 2004-04-21
8
1,981 Views
Last Modified: 2012-08-13
I need to allow an administrative assistant the ability to update user properties in Active Directory for four tabs: General, Address, Telephones, and Organization.  I know that I should be able to use the delegation wizard, but I haven't been able to find the appropriate properties for 'Create a custom task'.  I've scanned through the DSSEC.DAT for the permissions, but there weren't many properties listed under the user heading.

Surely this specific customization has been done hundreds of times, why haven't I been able to find a single instance documented?  The examples for customized delegation I've found are almost all brainlessly simple--how to enable a locked-out account is the prime example.

Can anyone give concrete details on accomplishing my goal?  I'd prefer that only the four tabs listed for user properties display in the MMC, but I would accept  all the properties tabs, if only the specified data could be edited.

Thanks!
0
Comment
Question by:david_reaves
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Accepted Solution

by:
DanniF earned 500 total points
ID: 10880797
Hi,

This might help you: (Taken from:  http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/delestep.mspx#XSLTsection124121120120  )

Variations to the Delegation Task

This section demonstrates the highest level of control that can be delegated in Active Directory?one operation that applies to objects of a certain type is delegated within a specific OU. Other variations include:
?      

Instead of delegating a control right such as Reset Password, you may want to delegate ability to read/write telephone number attributes for all User objects to a group called Receptionist. If you implement this approach, the differences are:
?      

You must use a custom delegation; the pre-defined ones do not suffice.
?      

You must select the User object and choose Phone and Mail Options.
?      

Additionally, to see property specific rights, you must select the Show General Permissions check box and clear the Show Property Permissions and Show creation/deletion of subobjects permissions check boxes. These check boxes allow you to see different types of rights that you can grant. Because the list of rights can be extremely large, these check boxes allow you to filter interesting rights.
?      

Instead of delegating a control right such as Reset Password, you may want to delegate full access on all user objects to a group called NetAccounts. If you try this step-by-step guide, you must choose Full Control instead of Reset Password.

Note: This is a distinction from the delegation done to HRTeam for creation/deletion of user objects in the second example above. In this instance, you have delegated management of existing accounts to NetAccounts but they still can't create new accounts. HRTeam can create new accounts but do not manage them.
?      

Another variation is to delegate ability to manage printers under Computer objects in the Print Servers OU to printer administrators, using the pre-defined delegation.


Hope this helps,

Daniel F.
0
 

Author Comment

by:david_reaves
ID: 10881214
Daniel,

I hadn't found that note specifically before, so it's somewhat helpful. The information you list is the general approach that I've tried, but for some reason the user/group member with the delegated User permissions still can't change the existing data.

The sequence I'm using is:

1) In MMC, as an Enterprise Admin, selecting the container to delegate.
2) Starting the Delegation of Control Wizard
3) Adding the group to have User Address/Phone editing.
4) Select Create Custom Task radio-button
5) Select Only following Objects...radio-button and subordinate User checkbox
6) With General permissions checkbox only, select "Read and Write General" and Read and write Phone and Mail"
7) Verified options and select finish.

What am I missing?
0
 

Author Comment

by:david_reaves
ID: 10910298
A little more detail...I've found that that the version of the MMC plug-in used to delegate is important. The process doesn't appear to work correctly on older versions, but does seem to work somewhat on the newest version availble when installing ADMINPAK.MSI on an XP Pro system. So far, it seems that the delgate must be using a current version of the MMC Active Directory plugin as well.

The catch now is that the delegation works as expected for SOME of the users in the relevant container.  Other users in the same container aren't delegated.

I'm trying to identify any differences between users that can be edited with the delegation versus users that may not be edited.  So far I haven't found anything.  Of course, this is an AD structure that I inherited so I don't know what may have been done in the past.  

Does anyone have something to add? If not, I will award partial points to the only reply, from DanniF--the approach is the appropriate way to delgate but it doesn't seem to be working completely in my environment.

David R.
0
 
LVL 6

Expert Comment

by:DanniF
ID: 10917739
Sorry for the long silence David, Ive been real busy.

Unfortunately though, I do not have any ideas for your problem.

Best of luck,

Daniel F.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:siexton
ID: 11907725
This was posted in April, so you may have found your answer already.  If not, I've got the solution for you.  Today I was trying to the exact same thing, and after some fiddling with the permissions, I've got it figured out.  Let me know if you still havent solved this and I'll send you the information that I have.
0
 

Author Comment

by:david_reaves
ID: 11907968
We still haven't solved...it's became a low priority, so posting your results would be great!
0
 

Expert Comment

by:siexton
ID: 11914498
In AD Users/Computers, select OU, and choose Delegate Control

Select the desired user or group
Select create a custom task to delegate
Select only the following objects in the folder, then scroll down the list and select User Objects only. Select the General, and Property Specific check boxes.  
In the list select the following options (R/W stands for Read and Write)

R/W Personal Information
R/W Title
R/W Manager
R/W Job Title
R/W Direct Reports
R/W Description
R/W Department
R/W Company

Select finish.

Select the OU again, and open properties.
Select the Security tab, find the user/group just added, and select advanced In the special permissions dialogue box select any of the allow attributes for the user/group edit it. Set Deny for the following objects R/W Terminal Server

The settings allow a user/group to modify the following user properties by tab:

General Tab:
Description
Office
Telephone Number

Address Tab:

Street
PO Box
City
State/Province
Zip/Postal Code
Country/Region

Telephones:

Home
Pager
Mobile
Fax
IP Phone
Notes

Organization:

Title
Department
Company
Manager
0
 

Expert Comment

by:LaaZ
ID: 26144455
You could further more Deny Account Restrictions to prevent the group to change profile path and more.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Short Story about the Best File Recovery Software – Acronis True Image 2017
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now