So, we wanted to delegate control of specific OUs in Active Directory to users, but only allow them to change phone numbers and titles. I was able to restrict nearly everything by allowing or denying the user specific security permissions for user objects in the OU. However, I couldn't seem to find how to restrict access to the "Last Name", "Initials", and "E-mail" fields in ADUC.
The trick was editing the dssec.dat file in the system32 folder per the below MS Knowledge Base article. This change needs to be made on every DC you want to edit those permissions on.
The one thing which threw me is even after restarting ADUC it wouldn't show the new properties. It turns out there is a delay between making the changes in dssec.dat and them taking effect. I'd say make the change in the file and then way at least 30 minutes before open ADUC.
No comments:
Post a Comment