?
Solved

Active Directory User Attributes

Posted on 2008-11-13
15
Medium Priority
?
755 Views
Last Modified: 2012-05-05
Hi Experts,
I need to give read/write on 'Office' attribute using delegate control for an user under a particular OU, for some reason i cant find this particular single attribute but i can give all other attributes one by one, for an example Telephone,Name, Department,pager, Mobile etc... but cant find an attribute that can give me the control on read / write for OFFICE.... how can do this?

Note:
i am using delegate control wizard under AD and going for custom task ....i do not want to give a collective control GENERAL or PERSONAL information read/write.

thanks in advance.
office-attribute.JPG
0
Comment
Question by:Thushya
  • 5
  • 5
  • 3
  • +1
15 Comments
 
LVL 18

Expert Comment

by:exx1976
ID: 22955365
I don't see that property listed in AD here as one that can be individually delegated.

Why not simply write some code that looks at a spreadsheet for SAMAccountName and then has another field for Office?  You could schedule the script to run as a user with high enough access, and then share the spreadsheet so that whoever can edit it and change offices for users?  That's what I'd do..

0
 

Author Comment

by:Thushya
ID: 22955429
Hello,Exx1976
thanks for the contribution, any example?

i am trying to give one user an access to all member of that particular group ?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22955465
The script you would want to use would be something like below.

You would run this at a command line on a machine where you have the active directory management tools installed.
dsquery user -samid * -limit 0 | dsget user -office > c:\output.txt

Open in new window

0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22955483
Actually use this one instead. This will output their firstname lastame and username as well as their office.


dsquery user -samid * -limit 0 | dsget user -ln -fn -samid -office > c:\output.tx

Open in new window

0
 

Author Comment

by:Thushya
ID: 22955513
I am looking for 'delegate control' so a single user will be allowed to modify one or two attributes of all users in the active directory and the person who would perform this operation not necessary to be part of IT/Technical team, probably a telephone receptionist.

thanks.
0
 
LVL 18

Accepted Solution

by:
exx1976 earned 750 total points
ID: 22955561
Here's the code below.  Modify line 1 with the NETBIOS name of your domain, not the FQDN.   Your source spreadsheet should have a header record.  Column 1 (A) should be the SAMAccountName, and column 2 (B) should be what you want to change the Office attribute to.

The spreadsheet should be named "source.xls", and this script assumes it's in the same directory that the script is in.  It also blanks the spreadsheet after it runs, so that you can schedule it and not have to worry about it running the same data over and over again.


TEST THIS FIRST!!!!  There's very little error handling in it, so make sure that people enter the correct SAMAccountName or it will likely blow up on you..

Domain = "MyDomain"
bEmpty = False
sPath = WScript.ScriptFullName
sPath = Left(sPath,Len(sPath)-Len(WScript.ScriptName))
Set oExcelApp = CreateObject("Excel.Application")
Set oWorkbook = oExcelApp.Workbooks.Open(sPath & "Source.xls")
Set oWorksheet = oWorkbook.Worksheets(1)
oWorksheet.Activate
oExcelApp.Visible = False
Dim ArrVals(1)
bEmpty = False
iCounter = 2
Do Until bEmpty = True
	EmptyCounter = 0
	For q = 0 To 1
		ArrVals(q) = ""
		ArrVals(q) = oWorksheet.Cells(iCounter, q + 1)
		If ArrVals(q) = "" Then EmptyCounter = EmptyCounter + 1
	Next
	If EmptyCounter = 0 Then
    	AddAttributes ArrVals(0), ArrVals(1)
    	iCounter = iCounter + 1
    End If
    If EmptyCounter = 2 Then bEmpty = True
Loop
If iCounter > 2 Then
	iCounter = 2
	Do Until bEmpty = True
		temp = oWorksheet.Cells(iCounter, 1)
		If temp = "" Then
			bEmpty = True
		Else
			oWorksheet.Cells(iCounter, 1).Value = ""
			oWorksheet.Cells(iCounter, 2).Value = ""
			iCounter = iCounter + 1
		End If
	Loop
End If
oWorkbook.Save
oExcelApp.Quit
WScript.Quit()
 
Sub AddAttributes(samAccountName, Office)
	DN = GetObjectDN(samAccountName,Domain)
	Set oUser = GetObject("LDAP://" & DN)
	oUser.Office = Office
         oUser.SetInfo()
End Sub
 
Function GetObjectDN(strObject, strDomain)
      Dim objNameTranslate
      Dim strObjectDN
      On Error Resume Next : Err.Clear
      Set objNameTranslate = CreateObject("NameTranslate")
      objNameTranslate.Init 3, ""
      objNameTranslate.Set 3, strdomain & "\" & strObject
      strObjectDN = objNameTranslate.Get(1)
      If Err.Number <> 0 Then
            strObjectDN = ""
      End If
      Set objNameTranslate = Nothing
      On Error Goto 0
      GetObjectDN = strObjectDN
End Function

Open in new window

0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 750 total points
ID: 22956942
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22957423
Chief - he doesn't want to grant access to modify all the attributes (what your post does)..
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22957612
Oh, I didn't catch that:

Thanks.
0
 

Author Comment

by:Thushya
ID: 22958168
ChiefIT/exx1976

I think the link pointed out should do the trick here, in fact i need to give limited access on personal informations which are listed under 'GENERAL' tab in user account. i think this should allow me to give access to "phone numbers" and "office" but not all under personal information, which is perfect, i will test this tomorrow and update you both.

thank you.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22960274
In the future, please post what you're really after then, so that people don't waste their time providing an answer you don't want.

"....i do not want to give a collective control GENERAL or PERSONAL information read/write"


Thanks,
exx
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22962158
@exx1976:

Your answers were not a waste of time:

I like this scripts you wrote. They work. So,  I would hope to see you get credit for them as a plausible answers, regardless of what method is chosen by the author to update the AD information. Folks surf through the EE for answers and your scripts might be the best choice for them as an alternative to the delegations of authority.
0
 

Author Comment

by:Thushya
ID: 22962376
exx1976
your solution is the right one to limit the control , but for me it will take some time to adopt to your scripting method, l love the command lines, but this is very new to me.

ChiefIT
your method works but i cant give the limited access on office, in fact there are few items allowed as side effect but those are not a security attributes just personal formation. its okay for now.

thank you both for the contribution - no hard feelings :)
0
 

Author Closing Comment

by:Thushya
ID: 31516608
thank you both.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22962783
Sounds good.  Hope you get a solution in place that works for you, whatever it may be.

-exx
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question