security setting-edit contact info only in AD?

[cameramonkey]

I can recall seeing some notes a while back, possibly during the rollout presentation by microsoft at a 2003 server event, that there was a way to grant limited AD edit permissions to users.

We have some significant edits to do to our AD user base. These are all things like phone numbers, postal addresses, etc. My dept really doesnt have the time to go through all 1500 accounts, and we also dont want to grant full domain admin rights to an admin assistant to make the changes. We have already made the bulk changes for common items, now we are down to the nitty gritty things like direct dial numbers, etc.

Is there a way to assign the rights to a user so that they can only see/edit the non-security parts of an AD user account (address, telephone, organization tabs) while restricting things like reset password, account and "member of" tabs, etc?

 

[Stevehewitt]

Without playing on my servers at work, I'd guess the delegation wizard or NTFS permissions on the OU/Objects would do it. Possibly even NTFS on the schema to allow updates to a certian attribute but again not too sure. Maybe worth playing with a test server.

To be completely honest, with testing and deployment it maybe quicker with just 1500 accounts to do it manually...! (Or possibly look at a 3rd party app/funky .vbs to do it)




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[cameramonkey]

Correct. with testing and deployment from an unknown state it would be (the "I think this works in theory... lets give it a try").

However, if somebody has done it before and knows that it works, testing those known-good changes is pretty quick.

Besides, it WOULD be quicker if we actually had the time to do it on top of our other day to day duties.