Solved

Delegate edit for specific user properties in MMC

Posted on 2004-04-21
8
2,005 Views
Last Modified: 2012-08-13
I need to allow an administrative assistant the ability to update user properties in Active Directory for four tabs: General, Address, Telephones, and Organization.  I know that I should be able to use the delegation wizard, but I haven't been able to find the appropriate properties for 'Create a custom task'.  I've scanned through the DSSEC.DAT for the permissions, but there weren't many properties listed under the user heading.

Surely this specific customization has been done hundreds of times, why haven't I been able to find a single instance documented?  The examples for customized delegation I've found are almost all brainlessly simple--how to enable a locked-out account is the prime example.

Can anyone give concrete details on accomplishing my goal?  I'd prefer that only the four tabs listed for user properties display in the MMC, but I would accept  all the properties tabs, if only the specified data could be edited.

Thanks!
0
Comment
Question by:david_reaves
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Accepted Solution

by:
DanniF earned 500 total points
ID: 10880797
Hi,

This might help you: (Taken from:  http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/delestep.mspx#XSLTsection124121120120  )

Variations to the Delegation Task

This section demonstrates the highest level of control that can be delegated in Active Directory?one operation that applies to objects of a certain type is delegated within a specific OU. Other variations include:
?      

Instead of delegating a control right such as Reset Password, you may want to delegate ability to read/write telephone number attributes for all User objects to a group called Receptionist. If you implement this approach, the differences are:
?      

You must use a custom delegation; the pre-defined ones do not suffice.
?      

You must select the User object and choose Phone and Mail Options.
?      

Additionally, to see property specific rights, you must select the Show General Permissions check box and clear the Show Property Permissions and Show creation/deletion of subobjects permissions check boxes. These check boxes allow you to see different types of rights that you can grant. Because the list of rights can be extremely large, these check boxes allow you to filter interesting rights.
?      

Instead of delegating a control right such as Reset Password, you may want to delegate full access on all user objects to a group called NetAccounts. If you try this step-by-step guide, you must choose Full Control instead of Reset Password.

Note: This is a distinction from the delegation done to HRTeam for creation/deletion of user objects in the second example above. In this instance, you have delegated management of existing accounts to NetAccounts but they still can't create new accounts. HRTeam can create new accounts but do not manage them.
?      

Another variation is to delegate ability to manage printers under Computer objects in the Print Servers OU to printer administrators, using the pre-defined delegation.


Hope this helps,

Daniel F.
0
 

Author Comment

by:david_reaves
ID: 10881214
Daniel,

I hadn't found that note specifically before, so it's somewhat helpful. The information you list is the general approach that I've tried, but for some reason the user/group member with the delegated User permissions still can't change the existing data.

The sequence I'm using is:

1) In MMC, as an Enterprise Admin, selecting the container to delegate.
2) Starting the Delegation of Control Wizard
3) Adding the group to have User Address/Phone editing.
4) Select Create Custom Task radio-button
5) Select Only following Objects...radio-button and subordinate User checkbox
6) With General permissions checkbox only, select "Read and Write General" and Read and write Phone and Mail"
7) Verified options and select finish.

What am I missing?
0
 

Author Comment

by:david_reaves
ID: 10910298
A little more detail...I've found that that the version of the MMC plug-in used to delegate is important. The process doesn't appear to work correctly on older versions, but does seem to work somewhat on the newest version availble when installing ADMINPAK.MSI on an XP Pro system. So far, it seems that the delgate must be using a current version of the MMC Active Directory plugin as well.

The catch now is that the delegation works as expected for SOME of the users in the relevant container.  Other users in the same container aren't delegated.

I'm trying to identify any differences between users that can be edited with the delegation versus users that may not be edited.  So far I haven't found anything.  Of course, this is an AD structure that I inherited so I don't know what may have been done in the past.  

Does anyone have something to add? If not, I will award partial points to the only reply, from DanniF--the approach is the appropriate way to delgate but it doesn't seem to be working completely in my environment.

David R.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 6

Expert Comment

by:DanniF
ID: 10917739
Sorry for the long silence David, Ive been real busy.

Unfortunately though, I do not have any ideas for your problem.

Best of luck,

Daniel F.
0
 

Expert Comment

by:siexton
ID: 11907725
This was posted in April, so you may have found your answer already.  If not, I've got the solution for you.  Today I was trying to the exact same thing, and after some fiddling with the permissions, I've got it figured out.  Let me know if you still havent solved this and I'll send you the information that I have.
0
 

Author Comment

by:david_reaves
ID: 11907968
We still haven't solved...it's became a low priority, so posting your results would be great!
0
 

Expert Comment

by:siexton
ID: 11914498
In AD Users/Computers, select OU, and choose Delegate Control

Select the desired user or group
Select create a custom task to delegate
Select only the following objects in the folder, then scroll down the list and select User Objects only. Select the General, and Property Specific check boxes.  
In the list select the following options (R/W stands for Read and Write)

R/W Personal Information
R/W Title
R/W Manager
R/W Job Title
R/W Direct Reports
R/W Description
R/W Department
R/W Company

Select finish.

Select the OU again, and open properties.
Select the Security tab, find the user/group just added, and select advanced In the special permissions dialogue box select any of the allow attributes for the user/group edit it. Set Deny for the following objects R/W Terminal Server

The settings allow a user/group to modify the following user properties by tab:

General Tab:
Description
Office
Telephone Number

Address Tab:

Street
PO Box
City
State/Province
Zip/Postal Code
Country/Region

Telephones:

Home
Pager
Mobile
Fax
IP Phone
Notes

Organization:

Title
Department
Company
Manager
0
 

Expert Comment

by:LaaZ
ID: 26144455
You could further more Deny Account Restrictions to prevent the group to change profile path and more.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The goal of this blog is: - To define the incident management process - To go over the key elements of an incident management system - To look into incident alert management tools that integrate with ConnectWise.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question