Don't give the staff member a direct powershell solution. We've done something similar with LAPS and allowing certain staff members to read the local Administrator password from AD on their machines - we created a limited account with specific rights to perform the task and set up a web page that has that account perform the task.
Kurt On Mon, Oct 16, 2017 at 5:44 AM, Michael Leone <oozerd...@gmail.com> wrote: > I have a user, who needs to do 2 things in AD. > > 1. She needs to lookup a user, to see what their login ID is (it has > to match what is in our Cisco VOIP, I'm told). And then ... > 2. She needs to input a value in the "IP Phone" field. (apparently, > the Cisco software does an LDAP lookup of this field). > > Is it possible to delegate the right to change just that one field to > a user? (I think not) We don't want her to inadvertently delete a > user, or change anything else. We're just tired of her calling the > help desk to do simple lookups, or enter a phone number that she > should (might?) be able to do herself. > > Mind you, I did an export of all user logins, which was supposed to be > fed into the Cisco system. So why they think the logins don't match, I > don't know. And don't have time (or inclination) to deal with. > > Thanks for any advise. > Forum info: http://www.activedir.org > Problems unsubscribing? Email ad...@mail.activedir.org