Edit AD Account Infor

Greetings:

I'm attempting to give someone the access to ONLY edit account information in AD.  I've created the task view but I'm having trouble securing it from there.  Which rights are required to do this, or am I missing something and there is another way to accomplish the same task?

Thanks!!!
LVL 9
bill_lynchAsked:
Who is Participating?
 
LesterClaytonCommented:
Account enabled is an attribute.  Account Password is an attribute.  Group Membership is an attribute. Account expiration is an attribute.

Do you see where I'm going here?

Ask yourself "What properties (also known as attributes) do I want to allow these users to edit", and then using the steps I've given you in comment ID 37059625 above, grant the permission to edit those attributes.
0
 
LesterClaytonCommented:
You need to either delegate the user or a specific group he is a member of rights to an OU to be able to edit account information only.  See screenie.

 Delegate Control Wizard
Right click an OU, select "All tasks -> Delegate Control" and then follow the wizard.  The user will then have all the rights you've specified to the OU, and all of the OU's children nodes.
0
 
bill_lynchAuthor Commented:
Thanks for the reply.  I've delegated Access.  I have a task view where the user can see only the OU and below.  I gave him the Write property Delegation.  The problem is that this gives him too many rights.  He can also reset passwords, etc.. which I don't want.  Any idea which rights ONLY give him the rights to edit account informatin, IE job title, etc..
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LesterClaytonCommented:
Remove the delgation, and then re-add it, this time checking only the top box "Create, delete, and manage user accounts"

If that is still too much, we're going to have to create a custom task to delegate.  Please let me know if you require some more refining :)
0
 
bill_lynchAuthor Commented:
hmm.  I'm still finding that he can change passwords, disable accounts, etc.  I'd like him to only be able to edit the attributes...
0
 
LesterClaytonCommented:
OK let's move on to a more refined policy.  In the Delegate Control wizard, use the option "Create a custom task to delegate".

 Delegate Control Wizard
Then, scroll down and choose "User Object"

 User Objects
Then Uncheck "General", check "Property-specific", and then scroll down and give the user read and write for each property you want to give permission to.  As an example, I've given my test user rights to read and write the description attribute of User objects.

 Property Specific
Have fun! :)
0
 
LesterClaytonCommented:
NOTE - if he still has more rights than he should have, then it's probably because he's getting the rights from another group membership, or another delegation.  The last process I've defined won't block his rights he receives from other memberships.  If for example he is a domain admin, he'll still have a lot of rights.
0
 
bill_lynchAuthor Commented:
I remove the other rights via the security tab, and then re-delegated.  Now they are unable to edit the properties...
0
 
LesterClaytonCommented:
You're going to have to provide some more information:

What property (or properties) do you want the users to be able to edit
What property (or properties) have you given them rights to edit
What "effective rights" does the editing account have to the target account?  To find this out, right click the target account, select properties, select Security, Click Advanced, select "Effective Permissions", click "Select" for the Editing Account, and scroll down to see that he or she has the permissions you've delegated.
Effective Permisisons
The "Editing Account" is the account which is required to edit the "Target Account".  If the effective rights are not there, then ensure that:

You've allocated the permission at a level which will flow down to the user object.
You've given the delegation to the account that needs to do the editing, rather than the account that is to be modified

Screenshots showing your setup would be very helpful, so I can "see" what you're trying to do.  Right now I'm blind, and with very simple descriptions like "Now they are unable to edit the properties...", does not help me to help you.

I'd be happy to help you via Teamviewer, if you would accept, let me have your telephone number and I'll call you.  You can e-mail it to lester at netscenario dot no.
0
 
bill_lynchAuthor Commented:
I would like the user to be able to edit the attributes inside an AD account, i.e. Job title, phone number, etc..

I do not however want them to be able to add a group, disable an account, etc...
0
 
bill_lynchAuthor Commented:
yup, got it.  I've gotten "almost all" permissions now that I need.  The only one I somehow missed was editing the office... Any idea which one that is?  Thanks for your help in providing clarity!
0
 
LesterClaytonCommented:
Office is a tricky one, because the attribute isn't called office.  I don't know what it's called, but let me introduce you to another very nitfy utility called ADSIEDIT.  We're going to find the office property!  You can use this same process to find other tricky properties.  You don't have to do this right now, because the answer is further below, but the steps I've used may be helpful.

Set the office property for a user to be "Test Office"
Opened up ADSI Edit
"browsed" to the test user
Right clicked test user and selected "properties"
Found the property which contained the text "Test Office"



ADSI-Edit-viewing-properties.png
0
 
bill_lynchAuthor Commented:
If for some reason you want to delegate the use of some attribute and that
attribute is not listed in the in the property/attribute specific list, then
that attribute is hidden from being viewed. To be able to use that attribute
in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in
%WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you
are making changes under the correct [OBJECT]) and change the value 7 to a
value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and
Computers. Before doing this make copy of the original DSSEC.DAT (e.g.
DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT
(e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file
you have lost your changes)

I found this blurb.  I believe it takes what you said just a step further.  I'll try and let you know.
0
 
LesterClaytonCommented:
Sorry I pressed submit on by mistake, sending my reply before it was finished.  The property for "Office" is "physicalDeliveryOffice", however I cannot find this as a Property-Specific permission to add.  Odd.  Can we try "Write street" and "Write Street Address" ?

0
 
LesterClaytonCommented:
Ah I see you've found some very useful information - good one :)
0
 
bill_lynchAuthor Commented:
it appears that this was already set to 7 (so it should be showing)  However like you said it does not jump out and say here I am!!  I believe I already have write street and write street 1 enabled.... I'll keep poking at it.
0
 
LesterClaytonCommented:
The blurb suggests you should change it from the 7 to a 0

change the value 7 to a value 0 (zero).
0
 
bill_lynchAuthor Commented:
yeah, I caught that.  I changed it to a zero, but still no luck...
0
 
bill_lynchAuthor Commented:
It did work.  Not to where I could see it in the delegation wizard, but if you go into the Advanced Properties of the OU and you assign permissions to User Objects, the Office Location read and write attributes appear.  Thanks for the help!!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.