Sure. Just delegate access on that attribute in descendant user objects at an appropriate point in your forest.
You might want to consider the tool the user will use. A small script or simple web page are likely better choices than ADAC or ADUC. And if you have multiple needs for this kind of solution, there are a number of low-priced (and high-priced) solutions available. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Monday, October 16, 2017 8:44 AM To: [email protected]; ActiveDir Mailing List Subject: [NTSysADM] Is it possible to allow users to update just 1 field in AD? I have a user, who needs to do 2 things in AD. 1. She needs to lookup a user, to see what their login ID is (it has to match what is in our Cisco VOIP, I'm told). And then ... 2. She needs to input a value in the "IP Phone" field. (apparently, the Cisco software does an LDAP lookup of this field). Is it possible to delegate the right to change just that one field to a user? (I think not) We don't want her to inadvertently delete a user, or change anything else. We're just tired of her calling the help desk to do simple lookups, or enter a phone number that she should (might?) be able to do herself. Mind you, I did an export of all user logins, which was supposed to be fed into the Cisco system. So why they think the logins don't match, I don't know. And don't have time (or inclination) to deal with. Thanks for any advise.
