Delegate user to edit custom fields in user properties (phone numbers , stree etc..)
1. Run Active Directory Users and Computers.
2. Right-click the container holding the users (or the domain name if you want to delegate all) and hit Delegate Control.
3. Welcome Screen – hit Next.
4. Users or Groups screen – click Add and select the person or group to delegate this control to. Click Next.
5. Tasks to Delegate screen – select “Create a custom task to delegate”. Click Next.
6. Active Directory Object Type screen – Select “Only the following objects in the folder:”. Check “User objects”. Click Next.
7. Permissions screen – uncheck “General” and check “Property-specific”. Check the boxes corresponding to the specific fields you would like the user or group to be able to edit. Click Next.
8. Completing screen – click Finish.
It Also can be done by script.
Just change marked with RED Fields
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_INHERIT_ACE = &H2
Set objSdUtil = GetObject(“LDAP://OU=OU Name,DC=exaple,DC=Com”)
Set objSD = objSdUtil.Get(“ntSecurityDescriptor”)
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject(“AccessControlEntry”)
objAce.Trustee = “DomainName.com\Example_secretary”
objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce.ObjectType = “{77b5b886-944a-11d1-aebd-0000f80367c1}”
objACE.InheritedObjectType = “{BF967ABA-0DE6-11D0-A285-00AA003049E2}”
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce
objSD.DiscretionaryAcl = objDacl
objSDUtil.Put “ntSecurityDescriptor”, Array(objSD)
objSDUtil.SetInfo
Post a comment
Search Kreslavsky.com