Delegate Control to users to update own Personal Information

I would like every user to be able to update their Personal Information in
Active Directory (i.e. phone number). I have a HTML Application that works
to display user information, but it is unable to update Personal Information
because the user doesn't have rights. How do I give "User1" the rights to
change Personal Information for only "User1"?

I have found many articles on using the Delegate Control tool and putting
users in a group and assigning change permissions for this group, but then
everyone would be able to change other users info. Can I use the user "NT
Authority\Self" and can someone give me an explanation of when/ever to use
this user for setting permissions.

Thanks,
Colin

By default active directory lets the user change their own info. See for
yourself, create a user, then login and bring up the console and change the
info.



"Colin" wrote:

> I would like every user to be able to update their Personal Information in
> Active Directory (i.e. phone number). I have a HTML Application that works
> to display user information, but it is unable to update Personal Information
> because the user doesn't have rights. How do I give "User1" the rights to
> change Personal Information for only "User1"?
>
> I have found many articles on using the Delegate Control tool and putting
> users in a group and assigning change permissions for this group, but then
> everyone would be able to change other users info. Can I use the user "NT
> Authority\Self" and can someone give me an explanation of when/ever to use
> this user for setting permissions.
>
> Thanks,
> Colin
>
>
>

I opened up an MMC and tried to change it, but receive an access denied. I
haven't intentionally changed any permissions on the security tab. Are
there any builtin administrative templates that would change permissions on
the users OU. What permissions could I manually set to get it back to
default for Server 2003 if by default it allows for changing own Personal
Information?

"mbrunton" <mbrunton@discussions.microsoft.com> wrote in message
news:1CDC3D36-B35C-40AF-8AE6-0F9734720EC5@microsoft.com...
> By default active directory lets the user change their own info. See for
> yourself, create a user, then login and bring up the console and change
> the
> info.
>
>
>
> "Colin" wrote:
>
>> I would like every user to be able to update their Personal Information
>> in
>> Active Directory (i.e. phone number). I have a HTML Application that
>> works
>> to display user information, but it is unable to update Personal
>> Information
>> because the user doesn't have rights. How do I give "User1" the rights
>> to
>> change Personal Information for only "User1"?
>>
>> I have found many articles on using the Delegate Control tool and putting
>> users in a group and assigning change permissions for this group, but
>> then
>> everyone would be able to change other users info. Can I use the user
>> "NT
>> Authority\Self" and can someone give me an explanation of when/ever to
>> use
>> this user for setting permissions.
>>
>> Thanks,
>> Colin
>>
>>
>>

To Test find that user in AD(as domain admin), go to security tab, click
reset to defaults. Then try it again.

"Colin" wrote:

> I opened up an MMC and tried to change it, but receive an access denied. I
> haven't intentionally changed any permissions on the security tab. Are
> there any builtin administrative templates that would change permissions on
> the users OU. What permissions could I manually set to get it back to
> default for Server 2003 if by default it allows for changing own Personal
> Information?
>
> "mbrunton" <mbrunton@discussions.microsoft.com> wrote in message
> news:1CDC3D36-B35C-40AF-8AE6-0F9734720EC5@microsoft.com...
> > By default active directory lets the user change their own info. See for
> > yourself, create a user, then login and bring up the console and change
> > the
> > info.
> >
> >
> >
> > "Colin" wrote:
> >
> >> I would like every user to be able to update their Personal Information
> >> in
> >> Active Directory (i.e. phone number). I have a HTML Application that
> >> works
> >> to display user information, but it is unable to update Personal
> >> Information
> >> because the user doesn't have rights. How do I give "User1" the rights
> >> to
> >> change Personal Information for only "User1"?
> >>
> >> I have found many articles on using the Delegate Control tool and putting
> >> users in a group and assigning change permissions for this group, but
> >> then
> >> everyone would be able to change other users info. Can I use the user
> >> "NT
> >> Authority\Self" and can someone give me an explanation of when/ever to
> >> use
> >> this user for setting permissions.
> >>
> >> Thanks,
> >> Colin
> >>
> >>
> >>
>
>
>

OK. After further investigation it looks like the profile does have rights
to change it's Personal Information, but I receive an error message anyway.
It does save the changes from within Active Directory Users and Computers
but displays the following message:
---------------------------
Microsoft Active Directory - Exchange Extension
---------------------------
Access denied.

Facility: LDAP Provider

ID no: 80070005

Microsoft Active Directory - Exchange Extension

---------------------------
OK
---------------------------

From within my script it doesn't update the users information and doesn't
return an error message. I have a feeling it has to do with the above error
I receive from within the snap-in. Sorry for making the assumption it
didn't save within the snap-in, but when I received an access denied message
I just assumed it couldn't.


"mbrunton" <mbrunton@discussions.microsoft.com> wrote in message
news:9268C5E4-32B6-405B-A63E-EB7232D94748@microsoft.com...
> To Test find that user in AD(as domain admin), go to security tab, click
> reset to defaults. Then try it again.
>
> "Colin" wrote:
>
>> I opened up an MMC and tried to change it, but receive an access denied.
>> I
>> haven't intentionally changed any permissions on the security tab. Are
>> there any builtin administrative templates that would change permissions
>> on
>> the users OU. What permissions could I manually set to get it back to
>> default for Server 2003 if by default it allows for changing own Personal
>> Information?
>>
>> "mbrunton" <mbrunton@discussions.microsoft.com> wrote in message
>> news:1CDC3D36-B35C-40AF-8AE6-0F9734720EC5@microsoft.com...
>> > By default active directory lets the user change their own info. See
>> > for
>> > yourself, create a user, then login and bring up the console and change
>> > the
>> > info.
>> >
>> >
>> >
>> > "Colin" wrote:
>> >
>> >> I would like every user to be able to update their Personal
>> >> Information
>> >> in
>> >> Active Directory (i.e. phone number). I have a HTML Application that
>> >> works
>> >> to display user information, but it is unable to update Personal
>> >> Information
>> >> because the user doesn't have rights. How do I give "User1" the
>> >> rights
>> >> to
>> >> change Personal Information for only "User1"?
>> >>
>> >> I have found many articles on using the Delegate Control tool and
>> >> putting
>> >> users in a group and assigning change permissions for this group, but
>> >> then
>> >> everyone would be able to change other users info. Can I use the user
>> >> "NT
>> >> Authority\Self" and can someone give me an explanation of when/ever to
>> >> use
>> >> this user for setting permissions.
>> >>
>> >> Thanks,
>> >> Colin
>> >>
>> >>
>> >>
>>
>>
>>

Colin says...
> OK. After further investigation it looks like the profile does have rights
> to change it's Personal Information, but I receive an error message anyway.
> It does save the changes from within Active Directory Users and Computers
> but displays the following message:
> ---------------------------
> Microsoft Active Directory - Exchange Extension
> ---------------------------
> Access denied.
>
> Facility: LDAP Provider
>
> ID no: 80070005
>
> Microsoft Active Directory - Exchange Extension
>
> ---------------------------
> OK
> ---------------------------
>
> From within my script it doesn't update the users information and doesn't
> return an error message. I have a feeling it has to do with the above error
> I receive from within the snap-in. Sorry for making the assumption it
> didn't save within the snap-in, but when I received an access denied message
> I just assumed it couldn't.
>

Hi Colin,

that's the exchange add-in in Active Directory-Users and -Computers - let's
forget that right now.

So verify that the user has the rights to access all the personal information
you want to with AD Users and Computers (don't even think about the Exchange
message - or try it with some computer where the exchange extensions are not
installed). If the user has not rights to an attribute you want to allow him
you could delegate the rights using the security-principal SELF and give him
write access to the attribute you want.

Why your script in the IIS is propably not working: IIS is propably configured
to allow anonymous access - you need to disable that for the script and set it
to integrated authentication. Then make sure the IIS is in the local
intranetzone on the users Internet Explorer. IE will then forward the
credentials of the user to the IIS, and the ASP-Page running will use the users
credentials to change the settings in AD.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org

OK. My script was failing because I was trying to update department which
isn't part of Personal Information. Guess my next problem to resolve is why
I am receiving that Exchange Extension error message from a newly created
mmc with no exchange snap-ins. The AD Users and Computers does have
Exchange tabs available, but I'm not making any changes on those. Would it
give the error message anyway? I'll see if I get an error message from a
machine that doesn't have the Exchange tools installed. Thanks for the
help.

"Colin" <legendsfan@nospam.nospam> wrote in message
news:%23bVaoH$3FHA.700@TK2MSFTNGP15.phx.gbl...
> OK. After further investigation it looks like the profile does have
> rights to change it's Personal Information, but I receive an error message
> anyway. It does save the changes from within Active Directory Users and
> Computers but displays the following message:
> ---------------------------
> Microsoft Active Directory - Exchange Extension
> ---------------------------
> Access denied.
>
> Facility: LDAP Provider
>
> ID no: 80070005
>
> Microsoft Active Directory - Exchange Extension
>
> ---------------------------
> OK
> ---------------------------
>
> From within my script it doesn't update the users information and doesn't
> return an error message. I have a feeling it has to do with the above
> error I receive from within the snap-in. Sorry for making the assumption
> it didn't save within the snap-in, but when I received an access denied
> message I just assumed it couldn't.
>
>
> "mbrunton" <mbrunton@discussions.microsoft.com> wrote in message
> news:9268C5E4-32B6-405B-A63E-EB7232D94748@microsoft.com...
>> To Test find that user in AD(as domain admin), go to security tab, click
>> reset to defaults. Then try it again.
>>
>> "Colin" wrote:
>>
>>> I opened up an MMC and tried to change it, but receive an access denied.
>>> I
>>> haven't intentionally changed any permissions on the security tab. Are
>>> there any builtin administrative templates that would change permissions
>>> on
>>> the users OU. What permissions could I manually set to get it back to
>>> default for Server 2003 if by default it allows for changing own
>>> Personal
>>> Information?
>>>
>>> "mbrunton" <mbrunton@discussions.microsoft.com> wrote in message
>>> news:1CDC3D36-B35C-40AF-8AE6-0F9734720EC5@microsoft.com...
>>> > By default active directory lets the user change their own info. See
>>> > for
>>> > yourself, create a user, then login and bring up the console and
>>> > change
>>> > the
>>> > info.
>>> >
>>> >
>>> >
>>> > "Colin" wrote:
>>> >
>>> >> I would like every user to be able to update their Personal
>>> >> Information
>>> >> in
>>> >> Active Directory (i.e. phone number). I have a HTML Application that
>>> >> works
>>> >> to display user information, but it is unable to update Personal
>>> >> Information
>>> >> because the user doesn't have rights. How do I give "User1" the
>>> >> rights
>>> >> to
>>> >> change Personal Information for only "User1"?
>>> >>
>>> >> I have found many articles on using the Delegate Control tool and
>>> >> putting
>>> >> users in a group and assigning change permissions for this group, but
>>> >> then
>>> >> everyone would be able to change other users info. Can I use the
>>> >> user
>>> >> "NT
>>> >> Authority\Self" and can someone give me an explanation of when/ever
>>> >> to
>>> >> use
>>> >> this user for setting permissions.
>>> >>
>>> >> Thanks,
>>> >> Colin
>>> >>
>>> >>
>>> >>
>>>
>>>
>>>
>
>

Colin says...
> OK. My script was failing because I was trying to update department which
> isn't part of Personal Information. Guess my next problem to resolve is why
> I am receiving that Exchange Extension error message from a newly created
> mmc with no exchange snap-ins. The AD Users and Computers does have
> Exchange tabs available, but I'm not making any changes on those. Would it
> give the error message anyway? I'll see if I get an error message from a
> machine that doesn't have the Exchange tools installed. Thanks for the
> help.
>
Hi Collin,

you won't get this on any other machine, the issue here is that the MMC still
relies to Active Directory Users and Computers, and this is configured to load
the Exchange Extensions if they are on the computer. I don't think there's any
way to start ADUC without loading the Exchange Extensions if they are installed
and registered on the machine.

I believe that the Exchange Extensions have a bug which always tries to update
something, but since I'm not very much into Exchange I can't say for sure.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org

Thanks. It seems you are correct about the Exchange Extension trying to
update even if nothing has been changed. Everything is working great now
which means I will no longer have to update users Personal Information since
they now have access to the HTML Application by way of a link off of our
home intranet site. It's not an ASP page so I don't have to worry how the
user is authentication to the app. It's just stored on the file server.

"Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@usw-consulting.com> wrote in
message news:MPG.1dd354c959003a89989bd6@msnews.microsoft.c om...
> Colin says...
>> OK. My script was failing because I was trying to update department
>> which
>> isn't part of Personal Information. Guess my next problem to resolve is
>> why
>> I am receiving that Exchange Extension error message from a newly created
>> mmc with no exchange snap-ins. The AD Users and Computers does have
>> Exchange tabs available, but I'm not making any changes on those. Would
>> it
>> give the error message anyway? I'll see if I get an error message from a
>> machine that doesn't have the Exchange tools installed. Thanks for the
>> help.
>>
> Hi Collin,
>
> you won't get this on any other machine, the issue here is that the MMC
> still
> relies to Active Directory Users and Computers, and this is configured to
> load
> the Exchange Extensions if they are on the computer. I don't think there's
> any
> way to start ADUC without loading the Exchange Extensions if they are
> installed
> and registered on the machine.
>
> I believe that the Exchange Extensions have a bug which always tries to
> update
> something, but since I'm not very much into Exchange I can't say for sure.
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> Website: http://www.windowsserverfaq.org

Colin says...
> Thanks. It seems you are correct about the Exchange Extension trying to
> update even if nothing has been changed. Everything is working great now
> which means I will no longer have to update users Personal Information since
> they now have access to the HTML Application by way of a link off of our
> home intranet site. It's not an ASP page so I don't have to worry how the
> user is authentication to the app. It's just stored on the file server.
>

Authentication is the same if the application runs of a IIS, if it's just a
script, HTA or something like this then it should work anyways as long as it's
not providing different credentials.

However, glad you got it working.

Post back if you have any other issues / questions.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org