Modifying attribute of AD object
Posted on 2009-07-02
I have a query in AD/LDAP I was hoping someone could answer.
So, to start - our setup is a multi-domain forest. Forest root is contoso.com, and we have child domains of EMEA.contoso.com, Asia.contoso.com, and NA.contoso.com. AD is 2003 forest/domain functional levels.
Whenever a user account is created, we need to add a new attribute, let's call it Securitycleared. The values can be either true or false. This attribute does not exist in AD, so we have a little tool - created ages ago - that our Helpdesk use when they create accounts to add the attribute. Using this tool, named SecurityTool, the Helpdesk can add either the True or False value.
The tool is used by all domains. We now have a situation where an IT Admin in Asia needs to change the value of this attributes for some EMEA users. He will be using an Asia account though. Does anyone know what permissions are needed to change the attribute? Also, Asia don't use SecurityTool, they have their own one they created themselves. Is there a way other than using the tool, e.g. PowerShell, that the attribute can be changed?
Also, are the permissions required any different if the Admin wants to actually add an attribute rather than change one?
I guess what I am asking is, what permissions are needed to change the attributes of an AD object? And also, will these permissions allow someone to change -any- AD object, or do some objects require more rights than others? If so, how can I tell what permissions are needed?