Active Directory Give users certain permission Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!Users vs. Active Directory UsersActive Directory explainedCommand line to list users in a Windows Active Directory group?Active Directory Permission Diag ToolFind name of Active Directory domain controllerActive Directory userAccountControl modify permissionExchange 2010 and Active DirectoryVB6 Application Permission Denied Error 70 for Active Directory UsersMy Active Directory replication settings don't look rightUnderstanding exactly why the timestamp was not affected of ad objects
Denied boarding although I have proper visa and documentation. To whom should I make a complaint?
Seeking colloquialism for “just because”
Should I discuss the type of campaign with my players?
Why was the term "discrete" used in discrete logarithm?
English words in a non-english sci-fi novel
If a contract sometimes uses the wrong name, is it still valid?
List *all* the tuples!
How to answer "Have you ever been terminated?"
Why are Kinder Surprise Eggs illegal in the USA?
What does the word "veer" mean here?
How to align text above triangle figure
What's the purpose of writing one's academic biography in the third person?
How widely used is the term Treppenwitz? Is it something that most Germans know?
How come Sam didn't become Lord of Horn Hill?
Identifying polygons that intersect with another layer using QGIS?
What causes the vertical darker bands in my photo?
Why did the Falcon Heavy center core fall off the ASDS OCISLY barge?
How discoverable are IPv6 addresses and AAAA names by potential attackers?
How to bypass password on Windows XP account?
How to find all the available tools in macOS terminal?
Do I really need recursive chmod to restrict access to a folder?
Why is my conclusion inconsistent with the van't Hoff equation?
What is Arya's weapon design?
prime numbers and expressing non-prime numbers
Active Directory Give users certain permission
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Users vs. Active Directory UsersActive Directory explainedCommand line to list users in a Windows Active Directory group?Active Directory Permission Diag ToolFind name of Active Directory domain controllerActive Directory userAccountControl modify permissionExchange 2010 and Active DirectoryVB6 Application Permission Denied Error 70 for Active Directory UsersMy Active Directory replication settings don't look rightUnderstanding exactly why the timestamp was not affected of ad objects
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm trying to find a way for users to change their job title or address in Active Directory. What i've done is pushed them a batch file as shown below so they can search for themselves in the AD
@echo off
start Rundll32 dsquery.dll OpenQueryWindow
So far so good. Problem is that the users are not able to actually change their information. It seems to be read only.
After some searching on the internet i found that this may have something to do with permissions in Exhange 2010.
So i've taken a look at the Default Role Assignment Policy and it seems it's set correctly. It has all "MyContactInformation" enabled.
When going to webmail --> Options I can edit some information and it is stored within AD so that works, but i don't see fields like Job Title.
Is there a another way (without using 3rd party tools) users can change their title and department?
Greetings,
Lennart
active-directory exchange-2010
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
|
show 1 more comment
I'm trying to find a way for users to change their job title or address in Active Directory. What i've done is pushed them a batch file as shown below so they can search for themselves in the AD
@echo off
start Rundll32 dsquery.dll OpenQueryWindow
So far so good. Problem is that the users are not able to actually change their information. It seems to be read only.
After some searching on the internet i found that this may have something to do with permissions in Exhange 2010.
So i've taken a look at the Default Role Assignment Policy and it seems it's set correctly. It has all "MyContactInformation" enabled.
When going to webmail --> Options I can edit some information and it is stored within AD so that works, but i don't see fields like Job Title.
Is there a another way (without using 3rd party tools) users can change their title and department?
Greetings,
Lennart
active-directory exchange-2010
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
1
This is strange. Why should users do that ? This is a setting for AD admins. If you want to automate things, you can use Set-ADUser "User01" -Department "HR" -Title "Slave" . I never seen a company where users set their own AD department info; this should be set by the AD admin according to the OU structure.
– Overmind
Apr 11 at 11:23
I realize this might seem strange to some. On the other hand i've seen it before in several companies but always with 3rd party tools, but that's a different conversation. Job title is actually the field i'm trying to let users change themselves.
– Lennart Giaccotto
Apr 11 at 11:36
Usually you can change your own details if you go toExplorer -> Network -> [Menu Network] -> Search Active Directory -> enter you own name -> search -> change what you need. Does this work for you?
– Lenniey
Apr 11 at 12:19
I just realized that you are doing the exact same thing, but calling the dialogue via your batch. So it obv. doesn't work for you (but it does for me in my AD).
– Lenniey
Apr 11 at 12:26
As for the permission problems: have you reviewed the user's security properties, especially the "SELF" group?
– duenni
Apr 11 at 13:12
|
show 1 more comment
I'm trying to find a way for users to change their job title or address in Active Directory. What i've done is pushed them a batch file as shown below so they can search for themselves in the AD
@echo off
start Rundll32 dsquery.dll OpenQueryWindow
So far so good. Problem is that the users are not able to actually change their information. It seems to be read only.
After some searching on the internet i found that this may have something to do with permissions in Exhange 2010.
So i've taken a look at the Default Role Assignment Policy and it seems it's set correctly. It has all "MyContactInformation" enabled.
When going to webmail --> Options I can edit some information and it is stored within AD so that works, but i don't see fields like Job Title.
Is there a another way (without using 3rd party tools) users can change their title and department?
Greetings,
Lennart
active-directory exchange-2010
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
I'm trying to find a way for users to change their job title or address in Active Directory. What i've done is pushed them a batch file as shown below so they can search for themselves in the AD
@echo off
start Rundll32 dsquery.dll OpenQueryWindow
So far so good. Problem is that the users are not able to actually change their information. It seems to be read only.
After some searching on the internet i found that this may have something to do with permissions in Exhange 2010.
So i've taken a look at the Default Role Assignment Policy and it seems it's set correctly. It has all "MyContactInformation" enabled.
When going to webmail --> Options I can edit some information and it is stored within AD so that works, but i don't see fields like Job Title.
Is there a another way (without using 3rd party tools) users can change their title and department?
Greetings,
Lennart
active-directory exchange-2010
active-directory exchange-2010
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
asked Apr 11 at 10:30
Lennart GiaccottoLennart Giaccotto
215
215
1
This is strange. Why should users do that ? This is a setting for AD admins. If you want to automate things, you can use Set-ADUser "User01" -Department "HR" -Title "Slave" . I never seen a company where users set their own AD department info; this should be set by the AD admin according to the OU structure.
– Overmind
Apr 11 at 11:23
I realize this might seem strange to some. On the other hand i've seen it before in several companies but always with 3rd party tools, but that's a different conversation. Job title is actually the field i'm trying to let users change themselves.
– Lennart Giaccotto
Apr 11 at 11:36
Usually you can change your own details if you go toExplorer -> Network -> [Menu Network] -> Search Active Directory -> enter you own name -> search -> change what you need. Does this work for you?
– Lenniey
Apr 11 at 12:19
I just realized that you are doing the exact same thing, but calling the dialogue via your batch. So it obv. doesn't work for you (but it does for me in my AD).
– Lenniey
Apr 11 at 12:26
As for the permission problems: have you reviewed the user's security properties, especially the "SELF" group?
– duenni
Apr 11 at 13:12
|
show 1 more comment
1
This is strange. Why should users do that ? This is a setting for AD admins. If you want to automate things, you can use Set-ADUser "User01" -Department "HR" -Title "Slave" . I never seen a company where users set their own AD department info; this should be set by the AD admin according to the OU structure.
– Overmind
Apr 11 at 11:23
I realize this might seem strange to some. On the other hand i've seen it before in several companies but always with 3rd party tools, but that's a different conversation. Job title is actually the field i'm trying to let users change themselves.
– Lennart Giaccotto
Apr 11 at 11:36
Usually you can change your own details if you go toExplorer -> Network -> [Menu Network] -> Search Active Directory -> enter you own name -> search -> change what you need. Does this work for you?
– Lenniey
Apr 11 at 12:19
I just realized that you are doing the exact same thing, but calling the dialogue via your batch. So it obv. doesn't work for you (but it does for me in my AD).
– Lenniey
Apr 11 at 12:26
As for the permission problems: have you reviewed the user's security properties, especially the "SELF" group?
– duenni
Apr 11 at 13:12
1
1
This is strange. Why should users do that ? This is a setting for AD admins. If you want to automate things, you can use Set-ADUser "User01" -Department "HR" -Title "Slave" . I never seen a company where users set their own AD department info; this should be set by the AD admin according to the OU structure.
– Overmind
Apr 11 at 11:23
This is strange. Why should users do that ? This is a setting for AD admins. If you want to automate things, you can use Set-ADUser "User01" -Department "HR" -Title "Slave" . I never seen a company where users set their own AD department info; this should be set by the AD admin according to the OU structure.
– Overmind
Apr 11 at 11:23
I realize this might seem strange to some. On the other hand i've seen it before in several companies but always with 3rd party tools, but that's a different conversation. Job title is actually the field i'm trying to let users change themselves.
– Lennart Giaccotto
Apr 11 at 11:36
I realize this might seem strange to some. On the other hand i've seen it before in several companies but always with 3rd party tools, but that's a different conversation. Job title is actually the field i'm trying to let users change themselves.
– Lennart Giaccotto
Apr 11 at 11:36
Usually you can change your own details if you go to
Explorer -> Network -> [Menu Network] -> Search Active Directory -> enter you own name -> search -> change what you need. Does this work for you?– Lenniey
Apr 11 at 12:19
Usually you can change your own details if you go to
Explorer -> Network -> [Menu Network] -> Search Active Directory -> enter you own name -> search -> change what you need. Does this work for you?– Lenniey
Apr 11 at 12:19
I just realized that you are doing the exact same thing, but calling the dialogue via your batch. So it obv. doesn't work for you (but it does for me in my AD).
– Lenniey
Apr 11 at 12:26
I just realized that you are doing the exact same thing, but calling the dialogue via your batch. So it obv. doesn't work for you (but it does for me in my AD).
– Lenniey
Apr 11 at 12:26
As for the permission problems: have you reviewed the user's security properties, especially the "SELF" group?
– duenni
Apr 11 at 13:12
As for the permission problems: have you reviewed the user's security properties, especially the "SELF" group?
– duenni
Apr 11 at 13:12
|
show 1 more comment
3 Answers
3
active
oldest
votes
Please check this related case, in this case Robbie_Roberts provided two options to allow users edit their job title by themself (Powershell or ECP). It is related to Exchange RBAC. I did a test with ECP, here are the commands:
New-ManagementRole -name "Mail Recipients Custom" -Parent "Mail Recipients"
Get-managementRoleEntry "Mail Recipients Custom*" | where $_.Name –ne "Set-User" | Remove-ManagementRoleEntry
Set-ManagementRoleEntry "Mail Recipients CustomSet-User" -Parameters Identity,Title,Department
Get-managementRoleEntry "Mail RecipientsGet-*" | Add-ManagementRoleEntry -Role "Mail Recipients Custom"
New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" -User a01 -RecipientRelativeWriteScope Self
New-ManagementRoleAssignment -role "View-Only Recipients" –user a01
Then I access ECP with a01 account and could edit his own Job and department, please note it could view other users information without editing.
Hope it is helpful.
answered Apr 12 at 8:02
ShawShaw
1744
This looks very promising! thank you, i will dive into it!
– Lennart Giaccotto
Apr 12 at 8:16
I suppose you have Exchange integrated with your domain. In that case, the solution provided by @Shaw will work unless you dont allow updates from exchange to AD. In that case, review the interaction between both services and allow a bidirectional transfer of info.
– Carlos Garcia
Apr 12 at 8:20
I have indeed. only thing is that from what i can tell from the image above this is exchange 2013 or highter. we still user 2010. Title and Department are not visible in ECP
– Lennart Giaccotto
Apr 12 at 8:33
If using Exchange 2010, I think you may try the option 1 in the case, use remote powershell to modify the title.
– Shaw
yesterday
add a comment |
There is no direct way to do this by the user, although it is possible via scripts.
rundll32 dsquery, OpenQueryWindow can do it if AD right to change the required fields on their AD account has been enabled.
Other methods such as using dsmod or powershell scripts would be too complicated for a normal user to do, but if you can make them properly run for them it could be an alternative.
answered Apr 11 at 12:01
OvermindOvermind
1,340514
This is what my batchfile does, but i think the problem for me is the missing rights for the users to self-update. I thought i could do this via exhange Role assignment but this does not make a difference outside webmail.
– Lennart Giaccotto
Apr 11 at 12:49
You need the AD rights, not exchange.
– Overmind
Apr 11 at 13:04
Is there a 'self service' rights group in ad present or do i need to create one?
– Lennart Giaccotto
Apr 11 at 13:32
I believe you can assign rights toSELFIIRC. Never tried it.
– Harry Johnston
Apr 11 at 22:54
I've tried! It indeed does make it possible for users to change their information. but altough i grant the rights to SELF it makes it possible to change it for all users...
– Lennart Giaccotto
Apr 12 at 10:06
add a comment |
You could use something like this: https://gallery.technet.microsoft.com/scriptcenter/GUI-for-AD-User-Attribute-b6ac7251
and adapt to your needs.
I have also seen this in conjunction with ticket systems as "Self-service portals".
Depending on your scripting skills, you could develop a simple website which fires the according powershell scripts.
answered Apr 11 at 12:06
duenniduenni
2,6251432
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962592%2factive-directory-give-users-certain-permission%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Please check this related case, in this case Robbie_Roberts provided two options to allow users edit their job title by themself (Powershell or ECP). It is related to Exchange RBAC. I did a test with ECP, here are the commands:
New-ManagementRole -name "Mail Recipients Custom" -Parent "Mail Recipients"
Get-managementRoleEntry "Mail Recipients Custom*" | where $_.Name –ne "Set-User" | Remove-ManagementRoleEntry
Set-ManagementRoleEntry "Mail Recipients CustomSet-User" -Parameters Identity,Title,Department
Get-managementRoleEntry "Mail RecipientsGet-*" | Add-ManagementRoleEntry -Role "Mail Recipients Custom"
New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" -User a01 -RecipientRelativeWriteScope Self
New-ManagementRoleAssignment -role "View-Only Recipients" –user a01
Then I access ECP with a01 account and could edit his own Job and department, please note it could view other users information without editing.
Hope it is helpful.
answered Apr 12 at 8:02
ShawShaw
1744
This looks very promising! thank you, i will dive into it!
– Lennart Giaccotto
Apr 12 at 8:16
I suppose you have Exchange integrated with your domain. In that case, the solution provided by @Shaw will work unless you dont allow updates from exchange to AD. In that case, review the interaction between both services and allow a bidirectional transfer of info.
– Carlos Garcia
Apr 12 at 8:20
I have indeed. only thing is that from what i can tell from the image above this is exchange 2013 or highter. we still user 2010. Title and Department are not visible in ECP
– Lennart Giaccotto
Apr 12 at 8:33
If using Exchange 2010, I think you may try the option 1 in the case, use remote powershell to modify the title.
– Shaw
yesterday
add a comment |
Please check this related case, in this case Robbie_Roberts provided two options to allow users edit their job title by themself (Powershell or ECP). It is related to Exchange RBAC. I did a test with ECP, here are the commands:
New-ManagementRole -name "Mail Recipients Custom" -Parent "Mail Recipients"
Get-managementRoleEntry "Mail Recipients Custom*" | where $_.Name –ne "Set-User" | Remove-ManagementRoleEntry
Set-ManagementRoleEntry "Mail Recipients CustomSet-User" -Parameters Identity,Title,Department
Get-managementRoleEntry "Mail RecipientsGet-*" | Add-ManagementRoleEntry -Role "Mail Recipients Custom"
New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" -User a01 -RecipientRelativeWriteScope Self
New-ManagementRoleAssignment -role "View-Only Recipients" –user a01
Then I access ECP with a01 account and could edit his own Job and department, please note it could view other users information without editing.
Hope it is helpful.
answered Apr 12 at 8:02
ShawShaw
1744
This looks very promising! thank you, i will dive into it!
– Lennart Giaccotto
Apr 12 at 8:16
I suppose you have Exchange integrated with your domain. In that case, the solution provided by @Shaw will work unless you dont allow updates from exchange to AD. In that case, review the interaction between both services and allow a bidirectional transfer of info.
– Carlos Garcia
Apr 12 at 8:20
I have indeed. only thing is that from what i can tell from the image above this is exchange 2013 or highter. we still user 2010. Title and Department are not visible in ECP
– Lennart Giaccotto
Apr 12 at 8:33
If using Exchange 2010, I think you may try the option 1 in the case, use remote powershell to modify the title.
– Shaw
yesterday
add a comment |
Please check this related case, in this case Robbie_Roberts provided two options to allow users edit their job title by themself (Powershell or ECP). It is related to Exchange RBAC. I did a test with ECP, here are the commands:
New-ManagementRole -name "Mail Recipients Custom" -Parent "Mail Recipients"
Get-managementRoleEntry "Mail Recipients Custom*" | where $_.Name –ne "Set-User" | Remove-ManagementRoleEntry
Set-ManagementRoleEntry "Mail Recipients CustomSet-User" -Parameters Identity,Title,Department
Get-managementRoleEntry "Mail RecipientsGet-*" | Add-ManagementRoleEntry -Role "Mail Recipients Custom"
New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" -User a01 -RecipientRelativeWriteScope Self
New-ManagementRoleAssignment -role "View-Only Recipients" –user a01
Then I access ECP with a01 account and could edit his own Job and department, please note it could view other users information without editing.
Hope it is helpful.
answered Apr 12 at 8:02
ShawShaw
1744
Please check this related case, in this case Robbie_Roberts provided two options to allow users edit their job title by themself (Powershell or ECP). It is related to Exchange RBAC. I did a test with ECP, here are the commands:
New-ManagementRole -name "Mail Recipients Custom" -Parent "Mail Recipients"
Get-managementRoleEntry "Mail Recipients Custom*" | where $_.Name –ne "Set-User" | Remove-ManagementRoleEntry
Set-ManagementRoleEntry "Mail Recipients CustomSet-User" -Parameters Identity,Title,Department
Get-managementRoleEntry "Mail RecipientsGet-*" | Add-ManagementRoleEntry -Role "Mail Recipients Custom"
New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" -User a01 -RecipientRelativeWriteScope Self
New-ManagementRoleAssignment -role "View-Only Recipients" –user a01
Then I access ECP with a01 account and could edit his own Job and department, please note it could view other users information without editing.
Hope it is helpful.
answered Apr 12 at 8:02
ShawShaw
1744
answered Apr 12 at 8:02
ShawShaw
1744
answered Apr 12 at 8:02
ShawShaw
1744
answered Apr 12 at 8:02
ShawShaw
1744
1744
This looks very promising! thank you, i will dive into it!
– Lennart Giaccotto
Apr 12 at 8:16
I suppose you have Exchange integrated with your domain. In that case, the solution provided by @Shaw will work unless you dont allow updates from exchange to AD. In that case, review the interaction between both services and allow a bidirectional transfer of info.
– Carlos Garcia
Apr 12 at 8:20
I have indeed. only thing is that from what i can tell from the image above this is exchange 2013 or highter. we still user 2010. Title and Department are not visible in ECP
– Lennart Giaccotto
Apr 12 at 8:33
If using Exchange 2010, I think you may try the option 1 in the case, use remote powershell to modify the title.
– Shaw
yesterday
add a comment |
This looks very promising! thank you, i will dive into it!
– Lennart Giaccotto
Apr 12 at 8:16
I suppose you have Exchange integrated with your domain. In that case, the solution provided by @Shaw will work unless you dont allow updates from exchange to AD. In that case, review the interaction between both services and allow a bidirectional transfer of info.
– Carlos Garcia
Apr 12 at 8:20
I have indeed. only thing is that from what i can tell from the image above this is exchange 2013 or highter. we still user 2010. Title and Department are not visible in ECP
– Lennart Giaccotto
Apr 12 at 8:33
If using Exchange 2010, I think you may try the option 1 in the case, use remote powershell to modify the title.
– Shaw
yesterday
This looks very promising! thank you, i will dive into it!
– Lennart Giaccotto
Apr 12 at 8:16
This looks very promising! thank you, i will dive into it!
– Lennart Giaccotto
Apr 12 at 8:16
I suppose you have Exchange integrated with your domain. In that case, the solution provided by @Shaw will work unless you dont allow updates from exchange to AD. In that case, review the interaction between both services and allow a bidirectional transfer of info.
– Carlos Garcia
Apr 12 at 8:20
I suppose you have Exchange integrated with your domain. In that case, the solution provided by @Shaw will work unless you dont allow updates from exchange to AD. In that case, review the interaction between both services and allow a bidirectional transfer of info.
– Carlos Garcia
Apr 12 at 8:20
I have indeed. only thing is that from what i can tell from the image above this is exchange 2013 or highter. we still user 2010. Title and Department are not visible in ECP
– Lennart Giaccotto
Apr 12 at 8:33
I have indeed. only thing is that from what i can tell from the image above this is exchange 2013 or highter. we still user 2010. Title and Department are not visible in ECP
– Lennart Giaccotto
Apr 12 at 8:33
If using Exchange 2010, I think you may try the option 1 in the case, use remote powershell to modify the title.
– Shaw
yesterday
If using Exchange 2010, I think you may try the option 1 in the case, use remote powershell to modify the title.
– Shaw
yesterday
add a comment |
There is no direct way to do this by the user, although it is possible via scripts.
rundll32 dsquery, OpenQueryWindow can do it if AD right to change the required fields on their AD account has been enabled.
Other methods such as using dsmod or powershell scripts would be too complicated for a normal user to do, but if you can make them properly run for them it could be an alternative.
answered Apr 11 at 12:01
OvermindOvermind
1,340514
This is what my batchfile does, but i think the problem for me is the missing rights for the users to self-update. I thought i could do this via exhange Role assignment but this does not make a difference outside webmail.
– Lennart Giaccotto
Apr 11 at 12:49
You need the AD rights, not exchange.
– Overmind
Apr 11 at 13:04
Is there a 'self service' rights group in ad present or do i need to create one?
– Lennart Giaccotto
Apr 11 at 13:32
I believe you can assign rights toSELFIIRC. Never tried it.
– Harry Johnston
Apr 11 at 22:54
I've tried! It indeed does make it possible for users to change their information. but altough i grant the rights to SELF it makes it possible to change it for all users...
– Lennart Giaccotto
Apr 12 at 10:06
add a comment |
There is no direct way to do this by the user, although it is possible via scripts.
rundll32 dsquery, OpenQueryWindow can do it if AD right to change the required fields on their AD account has been enabled.
Other methods such as using dsmod or powershell scripts would be too complicated for a normal user to do, but if you can make them properly run for them it could be an alternative.
answered Apr 11 at 12:01
OvermindOvermind
1,340514
This is what my batchfile does, but i think the problem for me is the missing rights for the users to self-update. I thought i could do this via exhange Role assignment but this does not make a difference outside webmail.
– Lennart Giaccotto
Apr 11 at 12:49
You need the AD rights, not exchange.
– Overmind
Apr 11 at 13:04
Is there a 'self service' rights group in ad present or do i need to create one?
– Lennart Giaccotto
Apr 11 at 13:32
I believe you can assign rights toSELFIIRC. Never tried it.
– Harry Johnston
Apr 11 at 22:54
I've tried! It indeed does make it possible for users to change their information. but altough i grant the rights to SELF it makes it possible to change it for all users...
– Lennart Giaccotto
Apr 12 at 10:06
add a comment |
There is no direct way to do this by the user, although it is possible via scripts.
rundll32 dsquery, OpenQueryWindow can do it if AD right to change the required fields on their AD account has been enabled.
Other methods such as using dsmod or powershell scripts would be too complicated for a normal user to do, but if you can make them properly run for them it could be an alternative.
answered Apr 11 at 12:01
OvermindOvermind
1,340514
There is no direct way to do this by the user, although it is possible via scripts.
rundll32 dsquery, OpenQueryWindow can do it if AD right to change the required fields on their AD account has been enabled.
Other methods such as using dsmod or powershell scripts would be too complicated for a normal user to do, but if you can make them properly run for them it could be an alternative.
answered Apr 11 at 12:01
OvermindOvermind
1,340514
answered Apr 11 at 12:01
OvermindOvermind
1,340514
answered Apr 11 at 12:01
OvermindOvermind
1,340514
answered Apr 11 at 12:01
OvermindOvermind
1,340514
1,340514
This is what my batchfile does, but i think the problem for me is the missing rights for the users to self-update. I thought i could do this via exhange Role assignment but this does not make a difference outside webmail.
– Lennart Giaccotto
Apr 11 at 12:49
You need the AD rights, not exchange.
– Overmind
Apr 11 at 13:04
Is there a 'self service' rights group in ad present or do i need to create one?
– Lennart Giaccotto
Apr 11 at 13:32
I believe you can assign rights toSELFIIRC. Never tried it.
– Harry Johnston
Apr 11 at 22:54
I've tried! It indeed does make it possible for users to change their information. but altough i grant the rights to SELF it makes it possible to change it for all users...
– Lennart Giaccotto
Apr 12 at 10:06
add a comment |
This is what my batchfile does, but i think the problem for me is the missing rights for the users to self-update. I thought i could do this via exhange Role assignment but this does not make a difference outside webmail.
– Lennart Giaccotto
Apr 11 at 12:49
You need the AD rights, not exchange.
– Overmind
Apr 11 at 13:04
Is there a 'self service' rights group in ad present or do i need to create one?
– Lennart Giaccotto
Apr 11 at 13:32
I believe you can assign rights toSELFIIRC. Never tried it.
– Harry Johnston
Apr 11 at 22:54
I've tried! It indeed does make it possible for users to change their information. but altough i grant the rights to SELF it makes it possible to change it for all users...
– Lennart Giaccotto
Apr 12 at 10:06
This is what my batchfile does, but i think the problem for me is the missing rights for the users to self-update. I thought i could do this via exhange Role assignment but this does not make a difference outside webmail.
– Lennart Giaccotto
Apr 11 at 12:49
This is what my batchfile does, but i think the problem for me is the missing rights for the users to self-update. I thought i could do this via exhange Role assignment but this does not make a difference outside webmail.
– Lennart Giaccotto
Apr 11 at 12:49
You need the AD rights, not exchange.
– Overmind
Apr 11 at 13:04
You need the AD rights, not exchange.
– Overmind
Apr 11 at 13:04
Is there a 'self service' rights group in ad present or do i need to create one?
– Lennart Giaccotto
Apr 11 at 13:32
Is there a 'self service' rights group in ad present or do i need to create one?
– Lennart Giaccotto
Apr 11 at 13:32
I believe you can assign rights to
SELF IIRC. Never tried it.– Harry Johnston
Apr 11 at 22:54
I believe you can assign rights to
SELF IIRC. Never tried it.– Harry Johnston
Apr 11 at 22:54
I've tried! It indeed does make it possible for users to change their information. but altough i grant the rights to SELF it makes it possible to change it for all users...
– Lennart Giaccotto
Apr 12 at 10:06
I've tried! It indeed does make it possible for users to change their information. but altough i grant the rights to SELF it makes it possible to change it for all users...
– Lennart Giaccotto
Apr 12 at 10:06
add a comment |
You could use something like this: https://gallery.technet.microsoft.com/scriptcenter/GUI-for-AD-User-Attribute-b6ac7251
and adapt to your needs.
I have also seen this in conjunction with ticket systems as "Self-service portals".
Depending on your scripting skills, you could develop a simple website which fires the according powershell scripts.
answered Apr 11 at 12:06
duenniduenni
2,6251432
add a comment |
You could use something like this: https://gallery.technet.microsoft.com/scriptcenter/GUI-for-AD-User-Attribute-b6ac7251
and adapt to your needs.
I have also seen this in conjunction with ticket systems as "Self-service portals".
Depending on your scripting skills, you could develop a simple website which fires the according powershell scripts.
answered Apr 11 at 12:06
duenniduenni
2,6251432
add a comment |
You could use something like this: https://gallery.technet.microsoft.com/scriptcenter/GUI-for-AD-User-Attribute-b6ac7251
and adapt to your needs.
I have also seen this in conjunction with ticket systems as "Self-service portals".
Depending on your scripting skills, you could develop a simple website which fires the according powershell scripts.
answered Apr 11 at 12:06
duenniduenni
2,6251432
You could use something like this: https://gallery.technet.microsoft.com/scriptcenter/GUI-for-AD-User-Attribute-b6ac7251
and adapt to your needs.
I have also seen this in conjunction with ticket systems as "Self-service portals".
Depending on your scripting skills, you could develop a simple website which fires the according powershell scripts.
answered Apr 11 at 12:06
duenniduenni
2,6251432
answered Apr 11 at 12:06
duenniduenni
2,6251432
answered Apr 11 at 12:06
duenniduenni
2,6251432
answered Apr 11 at 12:06
duenniduenni
2,6251432
2,6251432
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962592%2factive-directory-give-users-certain-permission%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
This is strange. Why should users do that ? This is a setting for AD admins. If you want to automate things, you can use Set-ADUser "User01" -Department "HR" -Title "Slave" . I never seen a company where users set their own AD department info; this should be set by the AD admin according to the OU structure.
– Overmind
Apr 11 at 11:23
I realize this might seem strange to some. On the other hand i've seen it before in several companies but always with 3rd party tools, but that's a different conversation. Job title is actually the field i'm trying to let users change themselves.
– Lennart Giaccotto
Apr 11 at 11:36
Usually you can change your own details if you go to
Explorer -> Network -> [Menu Network] -> Search Active Directory -> enter you own name -> search -> change what you need. Does this work for you?– Lenniey
Apr 11 at 12:19
I just realized that you are doing the exact same thing, but calling the dialogue via your batch. So it obv. doesn't work for you (but it does for me in my AD).
– Lenniey
Apr 11 at 12:26
As for the permission problems: have you reviewed the user's security properties, especially the "SELF" group?
– duenni
Apr 11 at 13:12