This article provides instructions on configuring the SYNERGIX AD Client Extensions self service feature to manage Active Directory User General Information. It also provides additional steps required to delegate control in Active Directory.
ADCE service runs in the context of SYSTEM or NETWORK SERVICE. In order for AD Client Extensions service component or for that matter, any application that must update user object attribute values, it must have the WRITE permission to the attribute. In the case of fields (or attributes) displayed under SYNERGIX AD Client Extensions' 'General Information' tab that must be updated by the user, the software should have READ and WRITE PROPERTY permission on the chosen attributes.
- Log into a domain computer with your domain admin account.
- Launch "Active Directory Users and Computers" management console or run DSA.MSC.
- Select the domain object or an organization unit that you wish to manage.
- Right mouse click on the domain object or the organization unit and from the context menu, select 'Delegate Control ...'
- In the 'Welcome to the Delegation of Control wizard' dialog box, click on Next
- In the 'Users and Groups' dialog box, click on Add
- In the 'Select Users, Computers or Groups' dialog box and in the 'Enter the object name to select' text box, type 'Domain Computers' and click on 'Check Names' button to validate the entry. Click on OK to accept the entry and to return back to the 'Users and Groups' dialog box.
- Verify that 'Domain Computers' is listed in the 'Selected Users and Groups' list. Click on Next.
- In the 'Tasks to delegate' dialog box, click on 'Create a custom task to delegate'. Click on Next
- In the 'Active Directory Object Type', click on 'Only the following objects in the folder ..' and from the list, select 'User objects'. You must do NOT have to check 'Create selected objects in the folder' and 'Delete selected objects in the folder'. Click on Next to proceed.
- In the Permissions dialog box, you have few ways to assign the permissions. In a simple scenario, you can assign FULL CONTROL. Alternatively, you can check Read and Write General Information. However, it is recommended that you grant only necessary permissions to the Domain Computers security principal. For example, if you wish to grant the user permission to update their Office Telephone number using SYNERGIX AD Client Extensions, you can grant "Write Telephone Number" by checking the Permission entry in the list. Click on Next after you have made your choice and have check appropriate permission.
- In the 'Completing the Delegation of Control' wizard, review the information and click on Finish to apply the changes