Daniel Ramawidjaja Blog

July 25, 2009

Delegation Control to Modify Only Certain User Attributes (Part 1)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:14 am

Based on my student request, I post an article about custom delegation task in Active Directory. This delegation will allow user with specific function, for example, Human Resource to edit only certain properties of users in certain OUs.

User Attributes that can be changed after the custom delegation:
Job Title, Department, Company, Manager, and Direct Reports.

Testing will be done by user Jet Lee (JetL) as a member of Human Resources group.


Attributes that Will Be Allowed to Be Changed in This Custom Delegation Example

Custom Delegation


Delegation Control Steps
Right-click on Finance OU, for example, and then click Delegate Control. It will launch the Delegation of Control Wizard.

Custom Delegation

Select users or groups for delegation

Custom Delegation

Select Create a custom task to delegate

Custom Delegation

Select Only the following objects in the folder, then select User objects.

Custom Delegation

On the Permissions page, select Property-specific. Then select read and write permissions for the following attribute:
– Department
– Job Title
– Company
– Direct Reports
– Manager
Click Next, and then click Finish.

Custom Delegation


Test the Delegation
For testing I use user Jet Lee (JetL) that is a member of Human Resources group.

Custom Delegation

Now, JetL can modify the user properties in the Organization tab like the following picture:

Custom Delegation

Here the result of setting the Manager property as you can see in Direct Reports list in the user properties for the manager (NaomiW)

Custom Delegation


  1. Very nice and clear instructions, I really appreciated finding them

    One question – if you have delegated this permission, is there a way your HR group can access Active Directory to make those changes from their local workstations without logging into a domain controller?

    Comment by Elliot Ross — November 2, 2012 @ 7:40 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: