Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Giving access to AD user attribute read/write
Giving access to AD user attribute read/write [message #396417] Sun, 21 February 2010 05:20 Go to next message
Drazen  is currently offline Drazen  Croatia
Messages: 13
Registered: June 2009
Junior Member
Hi,

We have to give the permission to read/write msIIS-FTPDir and msIIS-
FTPRoot AD user attributes for all users under an OU (or to all users
belonging in a security group) to a particular AD user.
How can this be accomplished?

Regards,
Drazen
Re: Giving access to AD user attribute read/write [message #397069 is a reply to message #396417] Mon, 22 February 2010 03:39 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Drazen wrote:
> We have to give the permission to read/write msIIS-FTPDir and msIIS-
> FTPRoot AD user attributes for all users under an OU (or to all users
> belonging in a security group) to a particular AD user.
> How can this be accomplished?

The easiest way to do that is right-click the target OU and choose
"Delegation of Control...". A wizard starts. You can then go select the
priviledged AD user account you want to give permissions to and create
custom tasks you want to delegate to that user. One of the options is to
select AD attribute the user is allowed to read/write to.

That is one method. Others involve "Active Directory Users and
Computers" with "Advanced Features" view enabled or ADSIEdit both with
the Security Tab of the OU.

Cheers,
Florian
Re: Giving access to AD user attribute read/write [message #397235 is a reply to message #397069] Mon, 22 February 2010 09:06 Go to previous messageGo to next message
Drazen  is currently offline Drazen  Croatia
Messages: 13
Registered: June 2009
Junior Member
On Feb 22, 11:39 am, "Florian Frommherz [MVP]"
<flor...@frickelsoft.net> wrote:
> Howdie!
>
> Drazen wrote:
> > We have to give the permission to read/write msIIS-FTPDir and msIIS-
> > FTPRoot AD user attributes for all users under an OU (or to all users
> > belonging in a security group) to a particular AD user.
> > How can this be accomplished?
>
> The easiest way to do that is right-click the target OU and choose
> "Delegation of Control...". A wizard starts. You can then go select the
> priviledged AD user account you want to give permissions to and create
> custom tasks you want to delegate to that user. One of the options is to
> select AD attribute the user is allowed to read/write to.
>
> That is one method. Others involve "Active Directory Users and
> Computers" with "Advanced Features" view enabled or ADSIEdit both with
> the Security Tab of the OU.
>
> Cheers,
> Florian

Florian, thank you for your answer.
I have tried what you said, however after I tried to use Delegation
wizard on OU and came to "Permissions" part, I could choose "General",
"Property-specific", "Creation/deletion of specific objects". Choosing
any or all of those options hasnt exposed the needed attributes (msIIS-
FTPDir and msIIS-FTPRoot), they are just not here on the list. I am
able to set security on a specific user in that OU in a way to grant
read/write on needed attributes, by visiting Security tab of specific
user.
So for now I can only do this user-by-user which is not an option for
me.

Regards,
Drazen
Re: Giving access to AD user attribute read/write [message #397553 is a reply to message #397235] Mon, 22 February 2010 14:48 Go to previous messageGo to next message
Florian Frommherz  is currently offline Florian Frommherz  Germany
Messages: 86
Registered: February 2010
Member
Howdie!

Am 22.02.2010 17:06, schrieb Drazen:
> Florian, thank you for your answer.
> I have tried what you said, however after I tried to use Delegation
> wizard on OU and came to "Permissions" part, I could choose "General",
> "Property-specific", "Creation/deletion of specific objects". Choosing
> any or all of those options hasnt exposed the needed attributes (msIIS-
> FTPDir and msIIS-FTPRoot), they are just not here on the list. I am
> able to set security on a specific user in that OU in a way to grant
> read/write on needed attributes, by visiting Security tab of specific
> user.
> So for now I can only do this user-by-user which is not an option for
> me.

Did you actually turn on the "Advanced Features" in ADUC? If so, you
should be able to select the attributes when activating "Property specific".

Cheers,
Florian
Re: Giving access to AD user attribute read/write [message #398665 is a reply to message #397553] Wed, 24 February 2010 00:00 Go to previous message
Drazen  is currently offline Drazen  Croatia
Messages: 13
Registered: June 2009
Junior Member
Indeed I have. However the needed attributes (msIIS-FTPDir and msIIS-
FTPRoot) are only on user level, not on OU or security group level.

Regards,
Drazen

On Feb 22, 10:48 pm, Florian Frommherz
<flor...@LEAVETHISOUT.frickelsoft.net> wrote:
> Howdie!
>
> Am 22.02.2010 17:06, schrieb Drazen:
>
> > Florian, thank you for your answer.
> > I have tried what you said, however after I tried to use Delegation
> > wizard on OU and came to "Permissions" part, I could choose "General",
> > "Property-specific", "Creation/deletion of specific objects". Choosing
> > any or all of those options hasnt exposed the needed attributes (msIIS-
> > FTPDir and msIIS-FTPRoot), they are just not here on the list. I am
> > able to set security on a specific user in that OU in a way to grant
> > read/write on needed attributes, by visiting Security tab of specific
> > user.
> > So for now I can only do this user-by-user which is not an option for
> > me.
>
> Did you actually turn on the "Advanced Features" in ADUC? If so, you
> should be able to select the attributes when activating "Property specific".
>
> Cheers,
> Florian
Previous Topic:Export Certificate with Private Key from CA Management MMC
Next Topic:Service Account
Goto Forum:
  


Current Time: Wed Jan 17 04:12:10 MST 2018

Total time taken to generate the page: 0.21513 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software