We have a tool being developed that will keep specific attributes of Active Directory user objects up to date with an authoritative source of employee information truth elsewhere, so that when someone's phone number or manager or location changes, Active Directory is automatically updated.
For normal users, delegation of manipulating to those properties is simple to handle using the delegation tools, but protected users, who have the adminSDHolder ACL applied, it's more difficult.
When adding an ACE to the adminSDHolder ACL using the UI, you're only able to grant access to all properties (which we don't want for security reasons), or properties that exist on the adminSDHolder object itself - not user properties like department.
How do you grant access to specific properties of user objects under the protection of adminSDHolder?
This is doable, but only through the command line tools - the UI is incapable of making the changes (and of figuring out what those ACEs actually are once they're in place).
In order to grant access to a specific user object attribute, for example
telephoneNumber, usedsacls:This creates an ACE for that attribute, which is meaningless on
adminSDHoldersince it doesn't have atelephoneNumber, but is then applied to the protected users.Note that the UI tools will look like this, which a each of these properties you grant for creating an ACE that it isn't sure what to make of:
But,
dsacls "CN=AdminSDHolder,CN=System,DC=example,DC=com"will show the truth: