Active Directory User Attributes

Hi Experts,
I need to give read/write on 'Office' attribute using delegate control for an user under a particular OU, for some reason i cant find this particular single attribute but i can give all other attributes one by one, for an example Telephone,Name, Department,pager, Mobile etc... but cant find an attribute that can give me the control on read / write for OFFICE.... how can do this?

Note:
i am using delegate control wizard under AD and going for custom task ....i do not want to give a collective control GENERAL or PERSONAL information read/write.

thanks in advance.
office-attribute.JPG
ThushyaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

exx1976Commented:
I don't see that property listed in AD here as one that can be individually delegated.

Why not simply write some code that looks at a spreadsheet for SAMAccountName and then has another field for Office?  You could schedule the script to run as a user with high enough access, and then share the spreadsheet so that whoever can edit it and change offices for users?  That's what I'd do..

0
ThushyaAuthor Commented:
Hello,Exx1976
thanks for the contribution, any example?

i am trying to give one user an access to all member of that particular group ?
0
Joseph DalyCommented:
The script you would want to use would be something like below.

You would run this at a command line on a machine where you have the active directory management tools installed.
dsquery user -samid * -limit 0 | dsget user -office > c:\output.txt

Open in new window

0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Joseph DalyCommented:
Actually use this one instead. This will output their firstname lastame and username as well as their office.


dsquery user -samid * -limit 0 | dsget user -ln -fn -samid -office > c:\output.tx

Open in new window

0
ThushyaAuthor Commented:
I am looking for 'delegate control' so a single user will be allowed to modify one or two attributes of all users in the active directory and the person who would perform this operation not necessary to be part of IT/Technical team, probably a telephone receptionist.

thanks.
0
exx1976Commented:
Here's the code below.  Modify line 1 with the NETBIOS name of your domain, not the FQDN.   Your source spreadsheet should have a header record.  Column 1 (A) should be the SAMAccountName, and column 2 (B) should be what you want to change the Office attribute to.

The spreadsheet should be named "source.xls", and this script assumes it's in the same directory that the script is in.  It also blanks the spreadsheet after it runs, so that you can schedule it and not have to worry about it running the same data over and over again.


TEST THIS FIRST!!!!  There's very little error handling in it, so make sure that people enter the correct SAMAccountName or it will likely blow up on you..

Domain = "MyDomain"
bEmpty = False
sPath = WScript.ScriptFullName
sPath = Left(sPath,Len(sPath)-Len(WScript.ScriptName))
Set oExcelApp = CreateObject("Excel.Application")
Set oWorkbook = oExcelApp.Workbooks.Open(sPath & "Source.xls")
Set oWorksheet = oWorkbook.Worksheets(1)
oWorksheet.Activate
oExcelApp.Visible = False
Dim ArrVals(1)
bEmpty = False
iCounter = 2
Do Until bEmpty = True
	EmptyCounter = 0
	For q = 0 To 1
		ArrVals(q) = ""
		ArrVals(q) = oWorksheet.Cells(iCounter, q + 1)
		If ArrVals(q) = "" Then EmptyCounter = EmptyCounter + 1
	Next
	If EmptyCounter = 0 Then
    	AddAttributes ArrVals(0), ArrVals(1)
    	iCounter = iCounter + 1
    End If
    If EmptyCounter = 2 Then bEmpty = True
Loop
If iCounter > 2 Then
	iCounter = 2
	Do Until bEmpty = True
		temp = oWorksheet.Cells(iCounter, 1)
		If temp = "" Then
			bEmpty = True
		Else
			oWorksheet.Cells(iCounter, 1).Value = ""
			oWorksheet.Cells(iCounter, 2).Value = ""
			iCounter = iCounter + 1
		End If
	Loop
End If
oWorkbook.Save
oExcelApp.Quit
WScript.Quit()
 
Sub AddAttributes(samAccountName, Office)
	DN = GetObjectDN(samAccountName,Domain)
	Set oUser = GetObject("LDAP://" & DN)
	oUser.Office = Office
         oUser.SetInfo()
End Sub
 
Function GetObjectDN(strObject, strDomain)
      Dim objNameTranslate
      Dim strObjectDN
      On Error Resume Next : Err.Clear
      Set objNameTranslate = CreateObject("NameTranslate")
      objNameTranslate.Init 3, ""
      objNameTranslate.Set 3, strdomain & "\" & strObject
      strObjectDN = objNameTranslate.Get(1)
      If Err.Number <> 0 Then
            strObjectDN = ""
      End If
      Set objNameTranslate = Nothing
      On Error Goto 0
      GetObjectDN = strObjectDN
End Function

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
exx1976Commented:
Chief - he doesn't want to grant access to modify all the attributes (what your post does)..
0
ChiefITCommented:
Oh, I didn't catch that:

Thanks.
0
ThushyaAuthor Commented:
ChiefIT/exx1976

I think the link pointed out should do the trick here, in fact i need to give limited access on personal informations which are listed under 'GENERAL' tab in user account. i think this should allow me to give access to "phone numbers" and "office" but not all under personal information, which is perfect, i will test this tomorrow and update you both.

thank you.
0
exx1976Commented:
In the future, please post what you're really after then, so that people don't waste their time providing an answer you don't want.

"....i do not want to give a collective control GENERAL or PERSONAL information read/write"


Thanks,
exx
0
ChiefITCommented:
@exx1976:

Your answers were not a waste of time:

I like this scripts you wrote. They work. So,  I would hope to see you get credit for them as a plausible answers, regardless of what method is chosen by the author to update the AD information. Folks surf through the EE for answers and your scripts might be the best choice for them as an alternative to the delegations of authority.
0
ThushyaAuthor Commented:
exx1976
your solution is the right one to limit the control , but for me it will take some time to adopt to your scripting method, l love the command lines, but this is very new to me.

ChiefIT
your method works but i cant give the limited access on office, in fact there are few items allowed as side effect but those are not a security attributes just personal formation. its okay for now.

thank you both for the contribution - no hard feelings :)
0
ThushyaAuthor Commented:
thank you both.
0
exx1976Commented:
Sounds good.  Hope you get a solution in place that works for you, whatever it may be.

-exx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.