There are a few values within Active Directory that we like to keep up to date. The include things such as Telephone number, Title, Manager and department. By having accurate information, our Exchange Global Address List can be used as an effective company directory and search tool.
However, placing the burden of keeping these things up to date on myself as System Administrator isn’t acceptable, especially when the information is already in the hands of someone else.
Luckily I found a way to use an MMC control to delegate changes to certain personnel.
Note: This is only tested on Windows XP
To begin, create a user group called “ADedits” or something appropriate. Assign this group to the top level User OU in your structure, with special permissions for the following attributes:
Read Name Read Display Name Read First Name Read Initials Write telephoneassistant Read/write adminDescription Read/write adminDisplayname Read/write assistant Read/write fax numbers(other) Read/write mobile number (other) Read/write businessCategory Read/write street Read/write Notes Read/write TelephoneNumber Read/Write department Read/Write Description Read/Write Title Read/Write Comment Read/Write Fax Number Read/Write Home Address Read/Write Street Address Read/Write Company Read/Write Home Phone Read/Write Home Phone (others) Read/Write Mobile Number Read/Write Pager Number (others) Read/Write Phone Number (others) Read/Write Pager Number Read/Write roomNumber Read/Write Post office Box Read/Write PostalAddress Read/Write Zip/PostalCode Read/Write Manager |
On the computers where the changes will be made, install the adminpak.msi package from here:
Then create an MMC file, with the Active Directory Users and Computers snap-in. Once thats loaded, right click on the container OU for your user accounts, and select “New Window from Here”. In the window list in the MMC control, close the original window, and then save the MMC for redistribution.
Now you have a control that targets only the Users OU, secured for specified people.
