Delegate minor Active Directory changes

There are a few values within Active Directory that we like to keep up to date. The include things such as Telephone number, Title, Manager and department. By having accurate information, our Exchange Global Address List can be used as an effective company directory and search tool.

However, placing the burden of keeping these things up to date on myself as System Administrator isn’t acceptable, especially when the information is already in the hands of someone else.

Luckily I found a way to use an MMC control to delegate changes to certain personnel.

Note: This is only tested on Windows XP

To begin, create a user group called “ADedits” or something appropriate. Assign this group to the top level User OU in your structure, with special permissions for the following attributes:

Read Name                                         
Read Display Name                                   
Read First Name                                     
Read Initials                                       
Write telephoneassistant                            
Read/write adminDescription                         
Read/write adminDisplayname                         
Read/write assistant                                
Read/write fax numbers(other)                       
Read/write mobile number (other)                    
Read/write businessCategory                         
Read/write street                                   
Read/write Notes                                    
Read/write TelephoneNumber                          
Read/Write department                               
Read/Write Description                              
Read/Write Title
Read/Write Comment                                    
Read/Write Fax Number
Read/Write Home Address
Read/Write Street Address
Read/Write Company
Read/Write Home Phone
Read/Write Home Phone (others)
Read/Write Mobile Number
Read/Write Pager Number (others)
Read/Write Phone Number (others)
Read/Write Pager Number
Read/Write roomNumber
Read/Write Post office Box
Read/Write PostalAddress
Read/Write Zip/PostalCode
Read/Write Manager

On the computers where the changes will be made, install the adminpak.msi package from here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

Then create an MMC file, with the Active Directory Users and Computers snap-in. Once thats loaded, right click on the container OU for your user accounts, and select “New Window from Here”. In the window list in the MMC control, close the original window, and then save the MMC for redistribution.

Now you have a control that targets only the Users OU, secured for specified people.

Leave a Reply

Your email address will not be published.