Security to computer/user account description field

Discussion in 'Active Directory' started by mattr2110, Feb 27, 2006.

  1. mattr2110

    mattr2110 Guest

    How do I enable users the rights to write/change to the AD computer/user
    account description field?
     
    mattr2110, Feb 27, 2006
    #1
    1. Advertisements

  2. mattr2110

    Cary Shultz Guest

    Matt,

    Have you looked at the Delegation Wizard? I have not looked at it for this
    specific attribute but it is generally a good place to start. However, be
    advised that you will have to document this very well as there is no
    'Delegation MMC' where you can look to see what changes you have made with
    it. You are simply changing things in AD and would have to look at the
    attribute in question to see where things stand.
     
    Cary Shultz, Feb 28, 2006
    #2
    1. Advertisements

  3. Basically, you create a group and grant that group write description
    property.

    You do this by opening DSA.MSC (or ADSIEDIT.MSC), enabling advanced view and
    then pulling up the properties of the domain. Click the security tab and
    choose advanced, click add and add the group. In the permissions entry for
    <domain name> select properties, and change apply onto to user objects.
    Choose read description and write description. Hit OK. Do the same again
    but choose computers instead of users as the object type.

    Note that this won't apply to members of protected groups due to
    adminSDHolder:
    -- http://www.msresource.net/content/view/38/46/
     
    Paul Williams [MVP], Feb 28, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.