In Active Directory, how do I delegate write permissions on specific attributes of protected user accounts?
We have a tool being developed that will keep specific attributes of Active Directory user objects up to date with an authoritative source of employee information truth elsewhere, so that when someone's phone number or manager or location changes, Active Directory is automatically updated.
For normal users, delegation of manipulating to those properties is simple to handle using the delegation tools, but protected users, who have the adminSDHolder ACL applied, it's more difficult.
When adding an ACE to the adminSDHolder ACL using the UI, you're only able to grant access to all properties (which we don't want for security reasons), or properties that exist on the adminSDHolder object itself - not user properties like department.
How do you grant access to specific properties of user objects under the protection of adminSDHolder?
Solution 1:
This is doable, but only through the command line tools - the UI is incapable of making the changes (and of figuring out what those ACEs actually are once they're in place).
In order to grant access to a specific user object attribute, for example telephoneNumber, use dsacls:
dsacls "CN=AdminSDHolder,CN=System,DC=example,DC=com" /G Allow-User-Management:RPWP;telephoneNumber;
This creates an ACE for that attribute, which is meaningless on adminSDHolder since it doesn't have a telephoneNumber, but is then applied to the protected users.
Note that the UI tools will look like this, which a each of these properties you grant for creating an ACE that it isn't sure what to make of:
But, dsacls "CN=AdminSDHolder,CN=System,DC=example,DC=com" will show the truth:
Allow Allow-User-Management
SPECIAL ACCESS for sn
WRITE PROPERTY
READ PROPERTY
Allow Allow-User-Management
SPECIAL ACCESS for telephoneNumber
WRITE PROPERTY
READ PROPERTY