none
some attribute in AD Delegation Wizard not available

    Question

  • Hallo,

    I am trying to delegate user contact information changing for some security group.

    Environment: Server 2008 R2

    1. I created Global security group for users who should change users contact information.

    2. Now On Users OU I run Delegation Wizard.

    3. I added created security group, created I custom delegation task, tick "only the following objects in the folder", then selected "User Objects"

    4. In this list I cannot found otherTelephone and wWWHomePage attributes.

    Like explain in somethere in this forum I found C:\windows\system32\dssec.dat file on DC, and there, near this attributes I changed value from 7 to 0 and restart AD console. Nothing was changed. I still cannot see this attributes in delegation wizard.

    In AD schema editor I see this:

    In delegation wizard I found that this attributes in "computers policy objects", but not in "user objects" why?

    Can you explain this?





    • Edited by DimiKo Thursday, November 29, 2012 10:28 AM
    Thursday, November 29, 2012 9:58 AM

Answers

All replies

  • To be honest , I don't completely understand how this is all tied together but, they are part of property sets:
    http://msdn.microsoft.com/en-us/library/windows/desktop/ms684394(v=vs.85).aspx
    http://msdn.microsoft.com/en-us/library/windows/desktop/ms684418(v=vs.85).aspx

    Guido dives into property sets in his explaination on hiding data and it might help you.
    http://www.windowsitpro.com/content1/topic/hiding-data-active-directory-142135/catpath/active-directory

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, November 29, 2012 1:18 PM
    Moderator
  • I don't understand too. how it is tied.
    Thursday, November 29, 2012 1:43 PM
  • You can't set security on an individual attribute in a set.  I don't believe these values can be set at all.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, November 29, 2012 1:48 PM
    Moderator
  • You can't set security on an individual attribute in a set.  I don't believe these values can be set at all.

         Ok, How can I delegate for several users to change other users contact information? 

    I trying do this with delegation on OU and then on user computer I will install RSAT and run MMC.
    • Edited by DimiKo Thursday, November 29, 2012 1:55 PM
    Thursday, November 29, 2012 1:54 PM
  • Use the below templete.

    ;---------------------------------------------------------
    [template54]
    AppliesToClasses=domainDNS,organizationalUnit,container

    Description = "Modify a user's telephone number"

    ObjectTypes = user

    [template54.user]
    telephoneNumber=WP
    ;----------------------------------------------------------

    ;---------------------------------------------------------

    See the below links for more details.

    How to add custom delegation

    http://msmvps.com/blogs/acefekay/archive/2012/02/07/active-directory-server-2008-r2-you-do-not-have-permission-to-modify-the-group.aspx

    Active Directory Delegation Wizard File

    http://technet.microsoft.com/en-us/library/cc772784%28WS.10%29.aspx


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Thursday, November 29, 2012 2:32 PM
  • Thank you. Can you explain use template to edit only contact information which I want? For example only otherTelephone and wWWHomePage and several more.

    I cannot find in windows installation directory and in INF folder Delegwiz.inf, I found it only in System32 directory of my DC.

    And then I change it get Access Denied. Then I change ownership on file and replace it, but in delegation wizard nothing changed. :(




    • Edited by DimiKo Thursday, November 29, 2012 3:35 PM
    Thursday, November 29, 2012 2:43 PM
  • The delegwiz.inf file is located under Windows 2000 and Windows Server 2003 in the directory%windir%\Inf and Windows Server 2008 and 2008 R2 in the directory%windir%\system32.

    Take the proper backup of delegwiz.inf & do the test.


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Thursday, November 29, 2012 4:11 PM
  • There are certain attributes which are not available for delegation and you need to modify the %systemroot%\system32\dssec.dat file i.e you need to give user read/write access to the attribute.

    Delegate control in AD to update city and state/province
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4e8b6ab1-6961-4bf1-b697-3e358fc5575f

    User attributes
    http://www.kouti.com/tables/userattributes.htm

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, November 29, 2012 5:26 PM
  • I still added %systemroot%\system32\dssec.dat to [user] section attributes otherTelephone=0, wWWHomePage=0.

    But I cannot see them after restart ADUC.

    I can't see this Write and read atributes rights in user object property-specific attributes list(delegation) and cannot see on OU advanced security in Descendant User objects.

    I found that in delegation wizard in property-specific for user object I don't see only multivalued attributes, like otherTelephone, wWWHomePage, otherMobile, otherIPPhone and others

    Maybe, I am don't understand something?


    • Edited by DimiKo Friday, November 30, 2012 7:19 AM
    Thursday, November 29, 2012 7:37 PM