1

The following attributes are present on an Exchange user, and this is what my colleague sees: (notice the locks)

attributes with locks

  • How can I properly delegate Read access (or Read write if it must be) to these attributes?

One thing that is throwing me off is that the attributes also exist on AD accounts / contacts, but there is no GUI. I would also like to permit delegation of these attributes as well.

I think the concept I'm missing in AD is how "inheritance" works, and where permissions are applied in an inheritance situation. (An Exchange user is a superset of an AD user, but there are some things in Exchange such as active sync, that don't exist at the AD user level).

Understaning how to delegate permissions in an "exchange" situation vs an "AD situation" is probably where my knowledge gap is, then again, I could be off base.

makerofthings7
  • 8,821
  • 28
  • 115
  • 196
  • Are those attributes actually used? Those are the default 15 "custom" attributes that are included in AD by default (so they're Active Directory attributes, not Exchange attributes, and your colleague would need permissions or delegations on the AD side, not the Exchange side). They're usually not used, so you may be making an issue out of nothing here. – HopelessN00b Jul 29 '14 at 14:37
  • 1
    @HopelessN00b Of course we're using them (I don't want to waste people's time). Are they actually AD attributes? [Exchange Schema Reference](http://www.microsoft.com/en-us/download/confirmation.aspx?id=5401) does actually add them. If we're both right (AD attributes + Exchange attributes) then that complicates the situation. How are we using them? Ping Identity server is mapping incoming SAML requests to users. – makerofthings7 Jul 29 '14 at 14:44
  • FYI - you're not correct i saying that ActiveSync is not in AD. It is, it's part of a bit-field attribute named "msExchOmaAdminWirelessEnable". https://social.technet.microsoft.com/Forums/exchange/en-US/855a485f-a327-49c1-8184-9a9d6d1fe9db/ldap-query-for-active-sync-users?forum=exchangesvradminlegacy – mfinni Oct 14 '14 at 16:05

1 Answers1

4

You can delegate control of this attribute by using the Delegate Control wizard in Active Directory Users and Computers.

  1. Right-click the OU containing the user accounts you want to delegate control of; select delegate control.
  2. Click Next at the "Welcome to the Delegation of Control Wizard" dialog.
  3. Enter the groups or users you would like to grant these permissions. Next.
  4. Choose Create a custom task to delegate. Next.
  5. Choose "Only the following objects.." and check User objects. Next.

  6. Uncheck General, check Property-specific. Scroll down until you find

    Read extensionAttribute1
Write extensionAttribute1
Read extensionAttribute10
Write extensionAttribute10

These are the lDAPDisplayName values for the "ms-Exch-Extension-Attribute-XX" attribute displayed in Exchange as CustomAttribute1, etc.

Check the attributes you'd like to delegate control of, click Next and then Finish to complete the delegation wizard.

You can see these attributes in Active Directory Users and Computers by first enabling Advanced Features in the View menu. Viewing the properties of an AD user will reveal an additional tab named Attribute Editor. Click Filter on the Attribute Editor tab and uncheck "Show only attributes that have values" which will reveal all of the available attributes for that object which will include the above extensionAttribute1, etc.

You can also view and set these values with PowerShell, provided you have the ActiveDirectory module installed.

View: 

Get-ADUser <username> -Properties extensionattribute1

Set:

Set-ADUser <username> -Add @{"extensionattribute1"="Your Value Here"}

Clear:

Set-ADUser <username> -Clear extensionattribute1
brandon
  • 41
  • 3
  • 1
    One small correction: Choose "Only the following objects.." and check User objects. Next. You actually need to select "msExchCustomAttributes objects" in order to control access of the "extensionAttributeN" –  Feb 24 '15 at 20:57
  • I can't find extensionattribute1-10 only is there any workaround? – Akam Jan 19 '20 at 13:24