For quite a while I’ve been working with a large customer and involved with a lot of AD delegations. Delegation is a common requirement within AD, and I found a model that works pretty well.
Many times you have different groups or software within a company that need to modify certain sets of properties for users, groups, contacts, etc. Many times these requirements overlap, and thus you need several entities to modify the display name of a user, or edit their telephone numbers.
If you setup a separate group for each new requirement, you can end up with several groups all having office telephone number modification rights, for example. This can get very messy, results in lengthy ACLs on objects, and makes it harder to document.
The solution I came up with for a particular customer solves many of these problems. I break down the attributes for each object type (users, contacts, etc.) into multiple property sets. For example, a group called "Users_WriteProp-1" has write access to the following properties:
Assistant, Company, Country, mobile number, fax number, street address, city, zip, job title.
Group "Users_WriteProp-2" would have write access to:
AccountExpires, ProfilePath, Home Folder, Member Of, Description, Notes, Office location.
Group "Users_WriteProp-3" would have write access to:
Display name, EmployeeID, Employee Number, First Name, Initials, Last Name.
Group "Users_WriteProp-4" would have write access to:
UserAccountControl
Let’s say you have the helpdesk, and they can only modify basic user information. You can create a group called "Helpdesk" and make it a member of Users_WriteProp-1 and Users_WriteProp-2.
If you are using MIIS and need it to update user attributes, you can add the MIIS service account to the needed Users_WriteProp groups.
To make the best use of this model, make a master list of all the properties you need to delegate. Then break them down into logical groupings based on delegation requirements. A group might have 15 properties associated with it, or maybe just one.
Using this model each user object will just have a series of Users_WriteProp groups in the ACL, which makes it very easy to delegate, document, and ensure groups do not have more rights than they need.
This model can also be extended to contacts, groups, or any other AD object where multiple delegations for various attributes is needed.
