Is it possible to allow users to update just 1 field in AD?

  • 76 Views
  • Last Post 5 weeks ago
MikeLeone posted this 16 October 2017

I have a user, who needs to do 2 things in AD.

1. She needs to lookup a user, to see what their login ID is (it has
to match what is in our Cisco VOIP, I'm told). And then ...
2. She needs to input a value in the "IP Phone" field. (apparently,
the Cisco software does an LDAP lookup of this field).

Is it possible to delegate the right to change just that one field to
a user? (I think not) We don't want her to inadvertently delete a
user, or change anything else. We're just tired of her calling the
help desk to do simple lookups, or enter a phone number that she
should (might?) be able to do herself.

Mind you, I did an export of all user logins, which was supposed to be
fed into the Cisco system. So why they think the logins don't match, I
don't know. And don't have time (or inclination) to deal with.

Thanks for any advise.
Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
kurtbuff posted this 16 October 2017

Don't give the staff member a direct powershell solution.

We've done something similar with LAPS and allowing certain staff
members to read the local Administrator password from AD on their
machines - we created a limited account with specific rights to
perform the task and set up a web page that has that account perform
the task.

Kurt

show

a-ko posted this 17 October 2017

Yes,

It is possible to delegate just that attribute. Though the GUI might not expose it easily for you. You might have to modify dssec.dat on the DC to expose the attribute to the GUI for delegation.

There are ways to do it with PowerShell as well via utilizing Set-ACL and the ActiveDirectoryAccessRule class (https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx) but this may be a bit more advanced.

I typically use the PowerShell method so that all access rule changes like this are logged in our internal code repos.


You do not need to give the person any other access other than to write to that property for "Descendent User Objects". Bonus points, limit this to specific OUs with user accounts if you can.

show

sam_bloom posted this 5 weeks ago

You can do it with Adaxes. It allows you to give out granularly delegate permissions (up to single AD properties) using a RBAC model:

It also has a customizable web UI that you can give out to users. You can set exactly which fields users can see and/or modify. You can also enforce format restrictions to the field to add even more control. 

So, at the end you can allow your user to go to a web UI, where she can literally edit only one field for AD users, do it in the format you define and absolutely nothing else. 

Close