Last Name attribute not available for Read/Write in Delegation of Control Wizard

active-directorydelegation

I am using Active Directory Users and Computers version 6.1.7601.17514

I am attempting to delegate the ability for our HR users to edit the First and Last Name for user accounts in Active Directory. I am using the Active Directory Delegation of Control Wizard to do this. My process is like so:

Right click the OU
Delegate Control
add my group
create a custom task to delegate
Only the following objects in the folder
check User Objects
uncheck General and check Property-specific

I can find First Name (and all the other attributes I want to delegate the control of) but not Last Name. I did some searching and found that some of these attributes may be filtered out. Apparently if one edits dssec.dat found in %systemroot%\system32 and changes sn=7 to sn=0 in the [user] section this should allow the Last Name attribute to be viewed in the Delegation of Control Wizard. I have done this but Last Name still doesn't show up for Read/Write.

Does anyone know why?

Best Answer

I've changed sn=7 to sn=0 and now I can see Last Name attribute.

Don't forget to restart ADUC after changes made to dssec.dat

Best Answer

Related Solutions

Active Directory Permissions – Granting User Modification Rights

Ldap – the best way to see objects attributes in Active Directory

Related Topic