?
Solved

Edit AD Account Infor

Posted on 2011-10-31
19
Medium Priority
?
372 Views
Last Modified: 2012-05-12
Greetings:

I'm attempting to give someone the access to ONLY edit account information in AD.  I've created the task view but I'm having trouble securing it from there.  Which rights are required to do this, or am I missing something and there is another way to accomplish the same task?

Thanks!!!
0
Comment
Question by:bill_lynch
  • 10
  • 9
19 Comments
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37059482
You need to either delegate the user or a specific group he is a member of rights to an OU to be able to edit account information only.  See screenie.

 Delegate Control Wizard
Right click an OU, select "All tasks -> Delegate Control" and then follow the wizard.  The user will then have all the rights you've specified to the OU, and all of the OU's children nodes.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37059519
Thanks for the reply.  I've delegated Access.  I have a task view where the user can see only the OU and below.  I gave him the Write property Delegation.  The problem is that this gives him too many rights.  He can also reset passwords, etc.. which I don't want.  Any idea which rights ONLY give him the rights to edit account informatin, IE job title, etc..
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37059526
Remove the delgation, and then re-add it, this time checking only the top box "Create, delete, and manage user accounts"

If that is still too much, we're going to have to create a custom task to delegate.  Please let me know if you require some more refining :)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 9

Author Comment

by:bill_lynch
ID: 37059596
hmm.  I'm still finding that he can change passwords, disable accounts, etc.  I'd like him to only be able to edit the attributes...
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37059625
OK let's move on to a more refined policy.  In the Delegate Control wizard, use the option "Create a custom task to delegate".

 Delegate Control Wizard
Then, scroll down and choose "User Object"

 User Objects
Then Uncheck "General", check "Property-specific", and then scroll down and give the user read and write for each property you want to give permission to.  As an example, I've given my test user rights to read and write the description attribute of User objects.

 Property Specific
Have fun! :)
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37059630
NOTE - if he still has more rights than he should have, then it's probably because he's getting the rights from another group membership, or another delegation.  The last process I've defined won't block his rights he receives from other memberships.  If for example he is a domain admin, he'll still have a lot of rights.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37062789
I remove the other rights via the security tab, and then re-delegated.  Now they are unable to edit the properties...
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37062941
You're going to have to provide some more information:

What property (or properties) do you want the users to be able to edit
What property (or properties) have you given them rights to edit
What "effective rights" does the editing account have to the target account?  To find this out, right click the target account, select properties, select Security, Click Advanced, select "Effective Permissions", click "Select" for the Editing Account, and scroll down to see that he or she has the permissions you've delegated.
Effective Permisisons
The "Editing Account" is the account which is required to edit the "Target Account".  If the effective rights are not there, then ensure that:

You've allocated the permission at a level which will flow down to the user object.
You've given the delegation to the account that needs to do the editing, rather than the account that is to be modified

Screenshots showing your setup would be very helpful, so I can "see" what you're trying to do.  Right now I'm blind, and with very simple descriptions like "Now they are unable to edit the properties...", does not help me to help you.

I'd be happy to help you via Teamviewer, if you would accept, let me have your telephone number and I'll call you.  You can e-mail it to lester at netscenario dot no.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37063004
I would like the user to be able to edit the attributes inside an AD account, i.e. Job title, phone number, etc..

I do not however want them to be able to add a group, disable an account, etc...
0
 
LVL 18

Accepted Solution

by:
LesterClayton earned 2000 total points
ID: 37063078
Account enabled is an attribute.  Account Password is an attribute.  Group Membership is an attribute. Account expiration is an attribute.

Do you see where I'm going here?

Ask yourself "What properties (also known as attributes) do I want to allow these users to edit", and then using the steps I've given you in comment ID 37059625 above, grant the permission to edit those attributes.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37063179
yup, got it.  I've gotten "almost all" permissions now that I need.  The only one I somehow missed was editing the office... Any idea which one that is?  Thanks for your help in providing clarity!
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37063260
Office is a tricky one, because the attribute isn't called office.  I don't know what it's called, but let me introduce you to another very nitfy utility called ADSIEDIT.  We're going to find the office property!  You can use this same process to find other tricky properties.  You don't have to do this right now, because the answer is further below, but the steps I've used may be helpful.

Set the office property for a user to be "Test Office"
Opened up ADSI Edit
"browsed" to the test user
Right clicked test user and selected "properties"
Found the property which contained the text "Test Office"



ADSI-Edit-viewing-properties.png
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37063298
If for some reason you want to delegate the use of some attribute and that
attribute is not listed in the in the property/attribute specific list, then
that attribute is hidden from being viewed. To be able to use that attribute
in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in
%WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you
are making changes under the correct [OBJECT]) and change the value 7 to a
value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and
Computers. Before doing this make copy of the original DSSEC.DAT (e.g.
DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT
(e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file
you have lost your changes)

I found this blurb.  I believe it takes what you said just a step further.  I'll try and let you know.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37063312
Sorry I pressed submit on by mistake, sending my reply before it was finished.  The property for "Office" is "physicalDeliveryOffice", however I cannot find this as a Property-Specific permission to add.  Odd.  Can we try "Write street" and "Write Street Address" ?

0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37063322
Ah I see you've found some very useful information - good one :)
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37063341
it appears that this was already set to 7 (so it should be showing)  However like you said it does not jump out and say here I am!!  I believe I already have write street and write street 1 enabled.... I'll keep poking at it.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 37063359
The blurb suggests you should change it from the 7 to a 0

change the value 7 to a value 0 (zero).
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37063385
yeah, I caught that.  I changed it to a zero, but still no luck...
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 37063591
It did work.  Not to where I could see it in the delegation wizard, but if you go into the Advanced Properties of the OU and you assign permissions to User Objects, the Office Location read and write attributes appear.  Thanks for the help!!!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question