How Can Admin Assistants Update Global Access Lists?

  • Thread starter Thread starter Max
  • Start date Start date
M

Max

What is the best way to allow department secretaries to update phone numbers
and other location info in Outlook for other employees without giving them
any other rights over the accounts?
 
It is theoretically possible to delegate any property to
any user or group.

Try the Delegation of Control Wizard (right-click in AD Users/Comp)
in the advanced section, custom area.

If it's not there then you must use a scripting tool. Just this
weekend someone answered that they did this with LDIFDE
(or some tool, that I don't clearly remember) which
surprised me a bit but look into that general idea: using
scripting.
 
Not sure how familiar you are with web pages... but if you're looking
to have a user modify these permissions I would write a quick ASP or
..NET web app to allow them to edit and see just these attributes.

I never like handing out ADUC to users and its likely just going to
confuse them.

- Stefan
 
If you can't see the permission you need (I don't remember if its shown in
the UI by default) you need to edit the dssec.dat file. If the attribute is
=7 it means that it will not be displayed in the UI, you need to change it
to either 0,1 or 2. But this will only take care of the visibility in the
UI, you also need to change the DACL on the attribute.

0=Show Read/Write
1=Display Write
2=Display Read

To change the default schema DACL you can use dsacls, but if you do this,
the change will only be applied to objects that are created after the
change, i.e. objects that already exists will not be changed, you need to
script that or do it manually.
One thing you should be aware of is if you want to restore the Schema
defaults with dsacls later you will overwrite DACLs that applications might
have set, Exchange for instance.
In other words be sure to test this in a lab environment before doing it in
production.

Regards,
/Jimmy
 
Yes, I used the Delegation of Control Wizard and they were able to
edit phone numbers etc without even installing any new software on
their machines.
The "Seach For People" results in Windows became editable. When they
entered the info there, it appeared in the Outlook GAL immediately.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How I can access and change global address list option of schedule management? 0
Update Contact Info From Global List 1
limited admin rights 2
Why can't I see all the data fields in Exchange when I link from MS Access? 2
Limited admin access to Active Directory 4
Employee count with multiple parameters... 1
A mini review of Iphone 12 mini 4
Update Contacts 3

Back
Top