Active Directory

Allow Domain User To Update Manager Field in Active Directory

Ulv BjørnssonLeave a comment

In this article we’ll go through the steps to allow a domain user that is a member of a security group, to update the manager field in Active Directory.

So open up Active Directory Users and Computers and create a Security Group that we will delegate control to, for this example we have created a group called “RL_Update_AD_Users_Manager_Field”

 

Now we have to also choose the container that this group can edit Users in to for this example we have a “Users”-container in our “domain“.

RoyalTS_2017-05-08_13-58-06.png

This opens up the Delegation of Control Wizard. Hit Next.

2017-05-08_12-30-50

To add a user or group hit Add. Once you are done hit Next.

2017-05-08_13-59-48.png

Tasks to Delegate – Hit Create a custom task to delegate. Hit Next.

delecustomtask

Choose Only the following objects in the folder and mark the checkbox User Objects. Hit Next.

deleuserobj.png

Permissions – Mark “General“, “Property-specific and “Read Manageras well as “Write Manager. Hit Next.

2017-05-08_14-19-43.png

Hit Finish.

2017-05-08_14-11-21.png

You’ve now delegated control to edit the “Manager“-field on user objects in the “User“-container to the security group called RL_Update AD_Users_Manager_Field.

Now to ensure that it actually works, we fire up a VM:

2017-05-09_10-11-48.png

As you can see, my test account is a regular Domain User, with the added on delegate role security groups.

2017-05-09_10-12-59.png

And has been able to change Manager to “Admin Ulv Bjørnsson” proving that the delegated roles work.

2017-05-09_10-14-17.png

 

Success!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s