[Samba] samba4 AD, allow users to modify (some of) their own attributesHi
Davor Vusir
davortvusir at gmail.com
Wed Apr 9 09:05:48 MDT 2014
On 2014-04-09 14:34, mourik jan heupink - merit wrote:
> Hi list, Andrew,
>
>>> I have searched around a bit, and found this:
>>> http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/
>>>
>>>
>>> Are there others ways to do this easier, for example with acl's like we
>>> had in openldap, or is the above link really the way to (attempt to) go
>>> in samba4?
>>
>> That looks correct, as we implement NT ACLs on the AD database.
>>
>> Andrew Bartlett
>
> Thanks for your response, Andrew. Now I took the time to study this a
> bit more, but it seems that giving modify permissions to 'SELF' on our
> Active Directory, it would mean users could edit ALL their details.
> This seems a bit too loose...
>
> I would like my users to be able to self-edit only some fields like
> roomNumber, jpegPhoto, displayName, mobile, wWWHomePage, etc.
>
> I don't think the above link would help me to get those permissions,
> right? Has anyone else already done something like this?
Start ADUC and create a group 'Selfie-PropEdit' and add select
useraccounts and groups.
Right-click the container where the useraccounts are situated and start
the 'Delegate Control...'-wizard. Click Next.
Add the group 'Selfie-PropEdit' and click Next.
Choose 'Create a custom task to delegate' and click Next.
Choose 'Only the following objects in the folder', scroll down and mark
'User objects'. Click Next.
Mark 'Property-specific' and choose appropriate properties from the
'Permissions'-list and click Next.
Click Finish.
Regards
Davor
More information about the samba
mailing list