David,
The answer to your question is really twofold.
1. To modify the permissions on existing user accounts your best bet is to
use a script that reads the user names from a list and uses the dsacls tool
to grant the permissions on the specific attributes that you want users to be
able to change. The list of applicable attributes can be found in the
dssec.dat file. You would want to use a command something like this:
dsacls "ou=ouname,dc=domain,dc=com" /i:t /g
"domain\<username>":rpwp;telephonenumber;user
Unfortunately I have yet to write anything of this sort, so I can't supply
you with a pre-made script, but I know that there are plenty of resources
that can help you write this script.
2. If you want to be able to apply this permission to all accounts you
create moving forward, the first thing that you would want to do is create a
custom security delegation that grants permission to modify only those
attributes that you specify. To simplify this, your best bet is to modify
the delegwiz.inf file. For more information on how to do this reference
http://support.microsoft.com/default.aspx?scid=kb;en-us;308404.
Hope this helps.
JHK
