AD Delegation Dilemma

Chris: Our company has finally come around to use Microsoft Exchange, and let me deploy some SharePoint Services. To the hand-in-hand with the availability of information, it will be to our human resources to be able to store users address and telephone number, in the Active Directory (fields, we have left it blank).

We would like to give our human resources managers gain access to all the data and I shoot delegation of authority to do so. However, my final attempt to make our nations human resources to create, or even delete user accounts in specific folders, but not edit the data fields (Office, address, telephone number, etc.).

I now only two things. Since I have already agreed terms of reference to the human resources manager, I said, I do not necessarily want them to have, I representative to the United Nations how those powers given to me how I do the human resources manager, is the ability to edit content, the ad hoc user object? Hong Kong District Council are Windows Server 2003 standard, I do not know this script and the free tools are my budget will allow. I lost Whats the cause? - Dustin high-tech help, as a , e-mail from a window , the issue of exchange or virtual or need troubleshooting help? Perhaps you want a better interpretation exceeds the manual? Description your plight in an e-mail to the editors mcpmag.com in the email: editor@mcpmag.com best question be answered in this column, and draw interesting questions with a baseball-mcpmag.com cap.

when you put your question, please include your full first and last name, location, certifications (if a), and your message. (If you prefer to remain anonymous, This shows you the message, but requested information for verification).

Dustin, first of all, I want to congratulate you on your bravery. A wise person once told me to never ask a question unless you really want an answer. I probably have never asked my readers, if I lost cause because it may become more than happy to tell me, I will probably go beyond the loss.

In your case, you will not be lost cause. You are on the right track, with the user delegation, but only strayed somewhat of a well-off road. Before setting the correct permissions, your first task should be to allay the original mandate set by the delegation of control wizard. To achieve this, you need to open it Active Directory Users and Computers, click on the menu, and to ensure that advanced options. Then right-click the domain or OU object of the original devolution of powers, and choose Properties. From there, click the safety labels, you will see that human resource user groups (or user account object in your case). At this point, you only need to click objects are listed in the Access Control List (ACL), and click the Delete button. Once you click OK, any authority previously delegated will be removed.

Now you are ready to correct the representative of the authority. At present the best way is to always assign permissions in the group level instead of to individual users. In this way, as users, and leave the company, you do not have to remove their accounts from any acls objects. Therefore, in your case, if you have not done so, I propose the establishment of the one-hour group (or human resources manager), and then join the human resources manager of users object to the new group. You can then delegate control to the new group, by the following steps: in the Active Directory Users and Computers, right-click the domain or if you want to target the EU granted permission and choose their representatives control.

When the delegation of control after the opening Wizard, click Next. Click on the Add button add human resources group.

In the choice of users, computer or group dialog box, enter the name of the human resources group, and click OK.

Now click Next.

Click the "create a custom task to represent" radio button, and click Next .

Click. "Only the following objects in the folder" radio button, and then down rolling, and check User Object checkbox and click Next.

Competence in the dialog box, select the box in general, and then scroll down and inspection authority of the window E-mail the following: general information to read and write reading and writing personal information to read and write telephone and e-mail options read and write information network public information literacy click Close to complete the delegation of control of the wizard.

At this point, your human resources managers will be able to edit only personal information - Establish user, but will not create or delete any user objects. In addition, the manager can do this, do not use Active Directory Users and Computers MMC. On the contrary, he or she can query and modify user access to directory object of the ad hoc tools, in the accessories folder (Start - all the procedures - - - - - Address Book), the W in dowsXPP ro fessional desktop. Once the Address Book open, click find people opposed to the toolbar. Once the dialog box that can not be opened, to ensure that Active Directory is selected to expect in the field, enter the name of the user object to edit in the Name column, and then click Find Now. User account, and then posted on the window at the bottom. Edit user information, click on the user object, and then click Properties button. From here you can edit users home addresses, telephone numbers, and business-related information. This should be sufficient to provide interactive advertising, human resources manager.

this problem is not fixed, you may now go back to what most managers do, as a common practice - is that your users the reasons for the loss!