Solved

Modifying attribute of AD object

Posted on 2009-07-02
1
295 Views
Last Modified: 2013-12-24
Hi All

I have a query in AD/LDAP I was hoping someone could answer.

So, to start - our setup is a multi-domain forest. Forest root is contoso.com, and we have child domains of EMEA.contoso.com, Asia.contoso.com, and NA.contoso.com. AD is 2003 forest/domain functional levels.

Whenever a user account is created, we need to add a new attribute, let's call it Securitycleared. The values can be either true or false. This attribute does not exist in AD, so we have a little tool - created ages ago - that our Helpdesk use when they create accounts to add the attribute. Using this tool, named SecurityTool, the Helpdesk can add either the True or False value.

The tool is used by all domains. We now have a situation where an IT Admin in Asia needs to change the value of this attributes for some EMEA users. He will be using an Asia account though. Does anyone know what permissions are needed to change the attribute? Also, Asia don't use SecurityTool, they have their own one they created themselves. Is there a way other than using the tool, e.g. PowerShell, that the attribute can be changed?

Also, are the permissions required any different if the Admin wants to actually add an attribute rather than change one?

I guess what I am asking is, what permissions are needed to change the attributes of an AD object? And also, will these permissions allow someone to change -any- AD object, or do some objects require more rights than others? If so, how can I tell what permissions are needed?
0
Comment
Question by:bruce_77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24772412

> Does anyone know what permissions are needed to change the attribute?

Write permissions on the attribute. Is there an option in the access control list for the attribute at all?

> Is there a way other than using the tool, e.g. PowerShell, that the attribute can be changed?

I don't see why not. It's just an attribute on a user account.

> Also, are the permissions required any different if the Admin wants to actually add an
> attribute rather than change one?

I'm assuming you modified the Schema to add the attribute. In which case, adding is no different from modification, adding just gives it an initial value.

Chris
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question