Tech Line

AD Delegation Dilemma

Admin has difficulty giving HR the right permissions to edit data.

Chris: Our company has finally come around to using Microsoft Exchange, as well as letting me deploy some SharePoint services. Going hand-in-hand with the availability of information this is going to give us, HR wants to be able to store user's address and phone numbers in Active Directory (fields we in IT have been leaving blank).

We'd like to give our HR manager access to enter all that data and I've tried to delegate permissions to do just that. However, my attempts end up allowing my HR person to create or even delete user accounts in specific folders, but not to edit the data fields (Office, Address, Phone Number, etc).

Now I'm left with two separate issues. Since I've granted permissions to my HR manager that I don't necessarily want them to have, how do I un-delegate those permissions? And how do I grant my HR manager just the ability to edit the contents of user objects in AD?

Our DCs are both Windows Server 2003 Standard, I don't know a thing about scripting and free tools are all my budget will allow for. Am I a lost cause?
— Dustin

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at; the best questions get answered in this column and garner the questioner with a nifty baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Dustin, first I must congratulate you on your bravery. A wise person once told me to never ask a question unless you really want an answer. I’d probably never ask my readers if I’m a lost cause because they’d be more than happy to tell me that I’m probably beyond lost.

In your situation, you’re definitely not a lost cause. You were on the right track with user delegation, but just strayed a little off the path. Before setting the correct permissions, your first task should be to remove the permissions that were previously set by the Delegation of Control Wizard. To do this, you’ll need to open Active Directory Users and Computers, click on the View menu, and ensure that Advanced Features is selected. Then right-click the Domain or OU object where the permissions were originally delegated, and select Properties. From there, click the Security tab and you’ll see the HR user group (or user account object in your case). At this point, you just need to click on the object listed in the Access Control List (ACL) and click the Remove button. Once you click OK, any permissions that were previously delegated will be removed.

Now you’re ready to delegate the correct permissions. A best practice is to always assign permissions at the group level instead of to individual users. This way, as users leave the company, you don’t have to remove their account objects from any ACLs. So in your case, if you haven’t done so already, I recommend creating a HR user group (or HR Managers group) and then adding the HR manager’s user object to the new group. You can then delegate control to the new group by following these steps:

  1. In Active Directory Users and Computers, right-click on the domain or OU object where you’d like to delegate permission and select Delegate Control.
  2. When the Delegation of Control Wizard opens, click Next.
  3. Click the Add button to add the HR group.
  4. In the Select Users, Computers, or Groups dialog box, enter the name of the HR user group and click OK.
  5. Now click Next.
  6. Click the “Create a Custom Task to Delegate” radio button and click Next.
  7. Click the “Only the Following Objects in this Folder” radio button, then scroll down and check the User Objects checkbox and click Next.
  8. In the Permissions dialog box, leave the General checkbox selected, then scroll down the Permissions portion of the window and check the following boxes: Read and Write General Information; Read and Write Personal Information; Read and Write Phone and Mail Options; Read and Write Web Information; Read and Write Public Information
  9. Click Finish to close the Delegation of Control Wizard.

At this point, your HR manager will now be able to only edit personal information -- for a user object, but not create or delete any user objects. Furthermore, the manager can do this without using the Active Directory Users and Computers MMC. Instead, he or she could query and modify user objects in AD by accessing the Address Book tool located in the Accessories folder (Start – All Programs – Accessories – Address Book) on a Windows XP Professional desktop. Once the Address Book opens, click the Find People object on the Toolbar. Once the Find People dialog box opens, ensure that Active Directory is selected in the Look In field, enter the name of the user object to edit in the Name field, and then click Find Now. The user account will then be displayed at the bottom of the window. To edit the user information, click on the user object and then click the Properties button. From here you could edit the user’s home address, telephone, and business-related information. This should provide just enough AD-interaction for the HR Manager.

With this problem fixed, you can now get back to what most admins do a as a common practice – referring to your users as lost causes!

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.