Search This Blog

Monday, September 25, 2023

Modifying AdminSDHolder Permission Delegation

Description:

You want to delegate permission to write certain user attribute for member of protected groups in Active Directory to a "normal" users. You have add the permission at the AdminSDholder container through GUI for that "normal" users. However during testing, you find that the "normal" users is still unable to modify the protected groups users attribute.

Resolution:

You need to use command line instead of GUI.
In order to grant access to a specific user object attribute, for example department, use dsacls:
dsacls “CN=AdminSDHolder,CN=System,DC=example,DC=com” /G Allow-User-Management:WP;department;

No comments:

Search Google