Re: Which group has the ability to create contacts in AD?

From: Marin Marinov (mlmarinov_at_askme.ca)
Date: 04/22/04 

Date: Thu, 22 Apr 2004 10:19:02 -0400

In article <ejN6x6GKEHA.3428@TK2MSFTNGP09.phx.gbl>,
dnadon_nospm@hotmail.com says...
> Hopefully someone can point me in the right direction with this. I want to
> enable one of our users to be able to create new mail-enabled contacts in
> Active Directory. I've add the user's account to the Account Operators
> group and although they can create new users and groups, they can not create
> new mail-enabled contacts (in fact, the option to create a contact isn't
> even available to the user). Right now, the only way I can create a new
> contact is through a user account that is a member of the Domain Admins
> group, but I do not want to give the user account access full administrator
> access to the domain. Does anybody know which group(s), other than any of
> the administrator groups, that have the ability to create new contacts in
> Active Directory?
>
> Thanks.
In cases when a built-in or predefined group doesn't have the ability to
perform some action in AD, like in this case, you can delegate control
for that specific action. Objects in AD are protected by DACLs like
files and folders in NTFS, just you have much more permissions to
configure ;)

You should use the Delegation of control wizard to delegate the task of
creating Contact objects to this user. A best practice is to create a
global group, put the user in this group, and delegate permissions to
this group. So, right-click the OU where you want the user to create
contacts and select "Delegate control". You have to select "Create a
custom task to delegate" and on the next page select the object type
Contact, select the "Create..." checkbox. On the next page specify the
permissions the user requires or Full control if he/she will be fully
responsible for Contact objects.

HTH 

-- 
Cheers,
   Marin Marinov
   MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no 
rights.

Relevant Pages

  • RE: Reset user passwords permission
    ... > the delegate control wizard and delegated the tasks of reset user passwords ... I see the group with the appropriate permissions. ... > security tab on any existing user, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Limit user access in SBS2003
    ... delegated permissions from the parent container. ... To delegate the permissions to change user's title, phone number, fax, etc, ... Create the group or user account that you want to have the ability to ... click Delegate Control from the menu that is displayed. ...
    (microsoft.public.windows.server.sbs)
  • Re: Which group has the ability to create contacts in AD?
    ... >> contact is through a user account that is a member of the Domain Admins ... > perform some action in AD, like in this case, you can delegate control ... > global group, put the user in this group, and delegate permissions to ...
    (microsoft.public.windows.server.security)
  • RE: Delegate Exchange Permission
    ... you can delegate control over specific ... OU's in Active Directory. ... 3- add a user account to certain group ...
    (microsoft.public.exchange.admin)
  • Re: User rights
    ... You need to 'delegate control' to this user. ... need to set the appropriate permissions on whatever containers you need this ... I have domain admins group with few presonnel, I need to find a way to otorgate rights to a special user to create, move, reset passwords,enable disable account, in the active directory without give him full rights like ...
    (microsoft.public.win2000.active_directory)