In this article we’ll go through the steps to allow a domain user that is a member of a security group, to update the Department field in Active Directory

So open up Active Directory Users and Computers and create a Security Group that we will delegate control to, for this example we have created a group called “RL_Update_AD_Users_Department_Field”

Now we have to also choose the container that this group can edit Users in to for this example we have a “Users”-container in our “domain“.

This opens up the Delegation of Control Wizard. Hit Next.

To add a user or group hit Add. Once you are done hit Next.

Tasks to Delegate – Hit Create a custom task to delegate. Hit Next.

Choose Only the following objects in the folder and mark the checkbox User Objects. Hit Next.

Permissions – Mark “General“, “Property-specific” and “Read Department” as well as “Write Department”. Hit Next.

Hit Finish.

You’ve now delegated control to edit the “Department“-field on user objects in the “User“-container to the security group called RL_Update AD_Users_Department_Field.

Now to ensure that it actually works, we add the “Security Group” on a test user in our domain and fire up a VM:

And we’ll edit a user in the domain with the test user to see that it works.

As expected it’s empty.

 

Now let’s try to edit it:

You’ve now successfully delegated rights to a security group with rights to edit the User-container that allows editing of the “Department“-field.