Reputation: 110
Provide all users with ability to edit their own specific attributes in Active Directory
I've been working on a project that allows users in our domain to edit 3 Active Directory Attributes on their own Object, this has been written in Python and the only issue I have now is user permissions on these attributes.
Two of these are custom, the third is the Location(physicalOfficeDeliveryAddress). I have looked everywhere and only found documentation on how to give permission for users in a group for these attributes but for ALL users or limited by group.
I'm looking to apply the permission under the Identity Reference: NT AUTHORITY\SELF so that users may only edit their own attributes.
In less words, I'm looking to write a script that will delegate permissions for three specific attributes to ALL users in the domain but only for themselves(NT AUTH\SELF).
I have a loop that will perform it for each user, I just have hit a brick wall in what to include in the loop..
Any help would be appreciated.
Upvotes: 0
Views: 1456
Answers (1)
Reputation: 40988
NT AUTHORITY\SELF is one of Windows' well-known SIDs, with a SID of S-1-5-10.
So you do it the same way you would for any other account, but grant the permissions to S-1-5-10 instead.
If you show us the code you're working with, we might be able to help you with where to plug in that value, if you need.
Upvotes: 1
Related Questions
- Add An AD Attribute To All Users In an AD Group
- how to update custom attribute in active directory?
- Change AD user attributes of users in group
- Powershell change multiple users AD properties
- I Can't modify AD user custom attribute via powershell
- Powershell script to update Active Directory attributes of existing users
- Updating custom attributes in Active Directory
- Mass edit individual attribute in Active Directory from source data
- Modify attributes in AD via PowerShell (no Quest)
- Using Powershell, how do I do bulk updates on a certain property for only certain users?