AD Delegation Dilemma
Admin has difficulty giving HR the right permissions to edit data.
Our company has finally come around to using Microsoft Exchange, as well as letting me deploy some SharePoint services. Going hand-in-hand with the availability of information this is going to give us, HR wants to be able to store user's address and phone numbers in Active Directory (fields we in IT have been leaving blank).
We'd like to give our HR manager access to enter all that data and I've tried to delegate permissions to do just that. However, my attempts end up allowing my HR person to create or even delete user accounts in specific folders, but not to edit the data fields (Office, Address, Phone Number, etc).
Now I'm left with two separate issues. Since I've granted permissions to my HR manager that I don't necessarily want them to have, how do I un-delegate those permissions? And how do I grant my HR manager just the ability to edit the contents of user objects in AD?
Our DCs are both Windows Server 2003 Standard, I don't know a thing about scripting and free tools are all my budget will allow for. Am I a lost cause?
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Dustin, first I must congratulate you on your bravery. A wise person once told me to never ask a question unless you really want an answer. I’d probably never ask my readers if I’m a lost cause because they’d be more than happy to tell me that I’m probably beyond lost.
In your situation, you’re definitely not a lost cause. You were on the right track with user delegation, but just strayed a little off the path. Before setting the correct permissions, your first task should be to remove the permissions that were previously set by the Delegation of Control Wizard. To do this, you’ll need to open Active Directory Users and Computers, click on the View menu, and ensure that Advanced Features is selected. Then right-click the Domain or OU object where the permissions were originally delegated, and select Properties. From there, click the Security tab and you’ll see the HR user group (or user account object in your case). At this point, you just need to click on the object listed in the Access Control List (ACL) and click the Remove button. Once you click OK, any permissions that were previously delegated will be removed.
Now you’re ready to delegate the correct permissions. A best practice is to always assign permissions at the group level instead of to individual users. This way, as users leave the company, you don’t have to remove their account objects from any ACLs. So in your case, if you haven’t done so already, I recommend creating a HR user group (or HR Managers group) and then adding the HR manager’s user object to the new group. You can then delegate control to the new group by following these steps:
- In Active Directory Users and Computers, right-click on the domain or OU object where you’d like to delegate permission and select Delegate Control.
- When the Delegation of Control Wizard opens, click Next.
- Click the Add button to add the HR group.
- In the Select Users, Computers, or Groups dialog box, enter the name of the HR user group and click OK.
- Now click Next.
- Click the “Create a Custom Task to Delegate” radio button and click Next.
- Click the “Only the Following Objects in this Folder” radio button, then scroll down and check the User Objects checkbox and click Next.
- In the Permissions dialog box, leave the General checkbox selected, then scroll down the Permissions portion of the window and check the following boxes: Read and Write General Information; Read and Write Personal Information; Read and Write Phone and Mail Options; Read and Write Web Information; Read and Write Public Information
- Click Finish to close the Delegation of Control Wizard.
At this point, your HR manager will now be able to only edit personal information -- for a user object, but not create or delete any user objects. Furthermore, the manager can do this without using the Active Directory Users and Computers MMC. Instead, he or she could query and modify user objects in AD by accessing the Address Book tool located in the Accessories folder (Start – All Programs – Accessories – Address Book) on a Windows XP Professional desktop. Once the Address Book opens, click the Find People object on the Toolbar. Once the Find People dialog box opens, ensure that Active Directory is selected in the Look In field, enter the name of the user object to edit in the Name field, and then click Find Now. The user account will then be displayed at the bottom of the window. To edit the user information, click on the user object and then click the Properties button. From here you could edit the user’s home address, telephone, and business-related information. This should provide just enough AD-interaction for the HR Manager.
With this problem fixed, you can now get back to what most admins do a as a common practice – referring to your users as lost causes!