How to allow some (non-admin) users to edit address/phone properties for all AD users?

active-directory attributes access-control-list

I need to allow HR people to edit some attributes for all Active Directory users (phone numbers, address, and similar contact informations), without giving them full administrative rights. They will need the right to edit those attributes on all user accounts, regardless of the OU they're in, and this security setting should also be automatically applied to new user accounts when they are created.

How can I accomplish this?


You want to use the Delegate Permissions option in Active Directory Users and Computers. You can apply the delegation to whatever OU you want, including the domain root.

This will allow you to delegate whatever attribute-level permissions you want to whatever users/groups you define.

These permissions apply like any other and respect inheritance.


In ADUC, the Delegation of Control wizard will allow you to do this, using a custom task for delegation. Pick just the fields you want them to have Write access to.

Related

What's faster for copying files from one drive to another? [closed]
How can I run command and select core to be used
LPR command won't recognize CUPS printer
Local and remote servers with different Linux distros?
MySQL Error: Too many connections
Do i need swap memory on my CentOS vps?
Ubuntu, How do I see a log of logins made?
Bash script exit on error (set -e) closes putty SSH session
Script to restart server when no user is remotely connected
What are the security risks of using pfsense in a virtualised environment?
Windows Server 2008 R2 Upgrade via Remote Desktop
RAID - buy spare disks at same time as originals?