7

We have a tool being developed that will keep specific attributes of Active Directory user objects up to date with an authoritative source of employee information truth elsewhere, so that when someone's phone number or manager or location changes, Active Directory is automatically updated.

For normal users, delegation of manipulating to those properties is simple to handle using the delegation tools, but protected users, who have the adminSDHolder ACL applied, it's more difficult.

When adding an ACE to the adminSDHolder ACL using the UI, you're only able to grant access to all properties (which we don't want for security reasons), or properties that exist on the adminSDHolder object itself - not user properties like department.

How do you grant access to specific properties of user objects under the protection of adminSDHolder?

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Not to be **that** guy, but why do you have users who are affected by adminSDHolder who need to have HR information updated? You should be following an LPU model of system administration and using separate named accounts for administration, such as ShaneMaddenAdmin (or whatever), so you shouldn't have any user accounts that would need HR information updated as members of any protected groups. – joeqwerty Dec 11 '14 at 00:01
  • @joeqwerty Key word being "should" - not all of the accounts are split currently, but agreed that they should be. – Shane Madden Dec 11 '14 at 00:17

1 Answers1

7

This is doable, but only through the command line tools - the UI is incapable of making the changes (and of figuring out what those ACEs actually are once they're in place).

In order to grant access to a specific user object attribute, for example telephoneNumber, use dsacls:

dsacls "CN=AdminSDHolder,CN=System,DC=example,DC=com" /G Allow-User-Management:RPWP;telephoneNumber;

This creates an ACE for that attribute, which is meaningless on adminSDHolder since it doesn't have a telephoneNumber, but is then applied to the protected users.

Note that the UI tools will look like this, which a each of these properties you grant for creating an ACE that it isn't sure what to make of:

confused-ui

But, dsacls "CN=AdminSDHolder,CN=System,DC=example,DC=com" will show the truth:

Allow Allow-User-Management
                                      SPECIAL ACCESS for sn
                                      WRITE PROPERTY
                                      READ PROPERTY
Allow Allow-User-Management
                                      SPECIAL ACCESS for telephoneNumber
                                      WRITE PROPERTY
                                      READ PROPERTY
Shane Madden
  • 112,982
  • 12
  • 174
  • 248