[Samba] samba4 AD, allow users to modify (some of) their own attributesHi

Davor Vusir davortvusir at gmail.com
Wed Apr 9 09:05:48 MDT 2014


On 2014-04-09 14:34, mourik jan heupink - merit wrote:
> Hi list, Andrew,
>
>>> I have searched around a bit, and found this:
>>> http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/ 
>>>
>>>
>>> Are there others ways to do this easier, for example with acl's like we
>>> had in openldap, or is the above link really the way to (attempt to) go
>>> in samba4?
>>
>> That looks correct, as we implement NT ACLs on the AD database.
>>
>> Andrew Bartlett
>
> Thanks for your response, Andrew. Now I took the time to study this a 
> bit more, but it seems that giving modify permissions to 'SELF' on our 
> Active Directory, it would mean users could edit ALL their details. 
> This seems a bit too loose...
>
> I would like my users to be able to self-edit only some fields like 
> roomNumber, jpegPhoto, displayName, mobile, wWWHomePage, etc.
>
> I don't think the above link would help me to get those permissions, 
> right? Has anyone else already done something like this?

Start ADUC and create a group 'Selfie-PropEdit' and add select 
useraccounts and groups.

Right-click the container where the useraccounts are situated and start 
the 'Delegate Control...'-wizard. Click Next.
Add the group 'Selfie-PropEdit' and click Next.
Choose 'Create a custom task to delegate' and click Next.
Choose 'Only the following objects in the folder', scroll down and mark 
'User objects'. Click Next.
Mark 'Property-specific' and choose appropriate properties from the 
'Permissions'-list and click Next.
Click Finish.

Regards
Davor



More information about the samba mailing list