Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Least permissions to update Manager field in AD
Least permissions to update Manager field in AD [message #158930] Tue, 21 July 2009 11:29 Go to next message
Newbie  is currently offline Newbie  Canada
Messages: 86
Registered: July 2009
Member
Hi,

Was wondering if I need to delegate someone to update "Manager" field in AD,
do I need to include that user in "Domain Admins" group? Thanks.
Re: Least permissions to update Manager field in AD [message #158931 is a reply to message #158930] Tue, 21 July 2009 11:42 Go to previous messageGo to next message
Chris Dent  is currently offline Chris Dent  United Kingdom
Messages: 189
Registered: July 2009
Senior Member
No, not at all.

They will need to have write permission to the manager field, but you
can grant them just write access to that field and nothing else if you wish.

It would be good to have a place you can test this one. Maybe if you
have an OU with a couple of users in? If so, in AD Users and Computers,
then:

1. Right click and select Delegate Control (right click on the OU)
2. Select a user or group
3. Select Create a custom task to delegate
4. Select Only the following objects in the folder
5. Tick User objects
6. Under "Show these permissions". Untick General and tick Property-Specific
7. Select Write Manager from the list (about a third of the way down,
alphabetical order by attribute name)

That's it. Now the user or group you specified can modify the manager
field without having to mess with anything else.

HTH

Chris

Newbie wrote:
> Hi,
>
> Was wondering if I need to delegate someone to update "Manager" field in AD,
> do I need to include that user in "Domain Admins" group? Thanks.
>
>
Re: Least permissions to update Manager field in AD [message #158946 is a reply to message #158931] Tue, 21 July 2009 16:09 Go to previous message
Newbie  is currently offline Newbie  Canada
Messages: 86
Registered: July 2009
Member
Thank you Chris, it worked.


"Chris Dent" <chris@noreply.null> wrote in message
news:OUFjUnhCKHA.1336@TK2MSFTNGP05.phx.gbl...
>
> No, not at all.
>
> They will need to have write permission to the manager field, but you can
> grant them just write access to that field and nothing else if you wish.
>
> It would be good to have a place you can test this one. Maybe if you have
> an OU with a couple of users in? If so, in AD Users and Computers, then:
>
> 1. Right click and select Delegate Control (right click on the OU)
> 2. Select a user or group
> 3. Select Create a custom task to delegate
> 4. Select Only the following objects in the folder
> 5. Tick User objects
> 6. Under "Show these permissions". Untick General and tick
> Property-Specific
> 7. Select Write Manager from the list (about a third of the way down,
> alphabetical order by attribute name)
>
> That's it. Now the user or group you specified can modify the manager
> field without having to mess with anything else.
>
> HTH
>
> Chris
>
> Newbie wrote:
>> Hi,
>>
>> Was wondering if I need to delegate someone to update "Manager" field in
>> AD, do I need to include that user in "Domain Admins" group? Thanks.
Previous Topic:Re: Multiple Secuirty group
Next Topic:AD trust and folder permission
Goto Forum:
  


Current Time: Sat Oct 21 19:08:11 EDT 2017

Total time taken to generate the page: 0.03934 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software