You can easily grant object and attribute specific
permissions (which is what you want here) at the root of the domain (or whatever
toplevel OU you might have where all other OUs with user accounts are designed
to be located). In your case you'd limit the ACE to User-Objects and grant
whatever group you choose write access to the employee ID property of the
User-Object. Won't want to use the Delegation Wizard - simply do it manually via
the Security Editor in ADUC or ADSIedit.
No need for scripting, however realize that you have to
understand the rules of permission inheritance (e.g. won't be applied to OUs
that block inheritance) - but as this is a grant and not a deny ACE, there's no
real other worries.
/Guido
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 23. Oktober 2003 22:29
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Delegating Write Access to on the Employee ID
Folks,
What
is the best way to delegate write access to the employee ID field on user
objects in a domain.
Is
there something I can set on a parent domain that will replicate down to the
Child OU's, or will I have to write a script to flip the ACE on a object
property.
Thanks,
Todd
Myrick
