|
Posted by Roger Abell [MVP] on February 8, 2007, 11:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Is there a way to allow a group to change personal and public info
> concerning
> user objects, but deny them the right to change the email address, esp.
> the
> one listed on the General tab? Cannot seem to find a checkbox that does
> that.
Dan,
Although I (think I) can tell that you are talking about delegating
in Active Directory, you post is really not clear about what you
are asking, and if I am right it would be helpful to know the version
of your AD forest (OS version and AD functional mode).
Anyway, it sounds as though you are needing to define a custom
delegation, finding that none of the pre-defined delegations fit
your needs. I am not clear whether you are after allowing change
of specific attributes of account objects or of inetOrgPerson objects,
or perhaps of msExch(ange objects).
You probably should post to the active_directory newsgroup with
information about the specific attributes overs which you do want
to grant control (one does not form a custom delegation by saying
all of those but deny that one and that, but rather by granting the
ones that are to be available).
One starts (IMO) by defining a group to which the delegation will
be made and then in the delegation of control wizard started at the
appropriate OU one takes a couple of turns (checking the radio to
delegate for specific object and choosing them, and then the radio
for object specific properties and finding the read/write grants for
the desired attributes of the object) Note that if you need attributes
from multiple objects you would likely need to do this for each
object, as when multiselecting specific objects one may not get a
list of object specific attributes at the second turn (radio buttons).
Roger
| 
XML site map