asked on

Deligate user to update their self information on AD such as phone number.

I'd like let user to update their particular self user account information such as Phone informaton or Department Information. It seems that it is not allowed by default in AD. I know deligation wizard might help but I'm not sure if it can restrict the access to "self". I don't want user to change another peoples information. Also want to be flexible to permit/restrict updateable field.

maze-uk

Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en

In the appendice of this document, you'll find the exact rights necessary. I suppose the right should be given to 'SELF'

kimakabane

ASKER

Thanks, but I hope to know step by step procedure with some example.

maze-uk

on the GPO containing the users, right click on it, and select properties.
Go into security, advanced
Click Add...
type SELF, and click OK
(optional: if users name or account contain 'self', they will show here, so select the one with 'SELF' as RDN, and click OK)
in PERMISSIONS ENTRY FOR USERS: on the Properties Tab,
in Apply onto, select User Objects,
then select the permission/proipery you want to apply.
Once finished, click OK as menay times as necessary to close the windows...

maze-uk

exemple of permissions you'll find:
'Write General Information', will allow the user to edit his email and phone number...

maze-uk

though I can see there is a specific one for mail and phone too: 'Write Phone and Mail Option'...

ASKER CERTIFIED SOLUTION

maze-uk

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

kimakabane

ASKER

Thanks! Very helpful.