Based on my student request, I post an article about custom delegation task in Active Directory. This delegation will allow user with specific function, for example, Human Resource to edit only certain properties of users in certain OUs.
User Attributes that can be changed after the custom delegation:
Job Title, Department, Company, Manager, and Direct Reports.
Testing will be done by user Jet Lee (JetL) as a member of Human Resources group.
Attributes that Will Be Allowed to Be Changed in This Custom Delegation Example
Delegation Control Steps
Right-click on Finance OU, for example, and then click Delegate Control. It will launch the Delegation of Control Wizard.
Select users or groups for delegation
Select Create a custom task to delegate
Select Only the following objects in the folder, then select User objects.
On the Permissions page, select Property-specific. Then select read and write permissions for the following attribute:
– Department
– Job Title
– Company
– Direct Reports
– Manager
Click Next, and then click Finish.
Test the Delegation
For testing I use user Jet Lee (JetL) that is a member of Human Resources group.
Now, JetL can modify the user properties in the Organization tab like the following picture:
Here the result of setting the Manager property as you can see in Direct Reports list in the user properties for the manager (NaomiW)
Daniel Ramawidjaja Blog 
Very nice and clear instructions, I really appreciated finding them
One question – if you have delegated this permission, is there a way your HR group can access Active Directory to make those changes from their local workstations without logging into a domain controller?
Comment by Elliot Ross — November 2, 2012 @ 7:40 pm |
You can install RSAT on HR workstations to make it possible. Download from: http://www.microsoft.com/en-us/download/details.aspx?id=7887
or Google keywords: RSAT Windows 7
Comment by Daniel Ramawidjaja — November 3, 2012 @ 12:53 am |