Skip to content

Delegating something… “I don’t see the attribute I want to delegate!”

As I have been dealing with some delegation tasks recently, I had to recall some basic stuff. Actually, it took me two occasions of “suddenly missing attributes” to get on the problem seriously and find out the fact that “filtered attributes” can be related not only to RODCs =,,)

So, the situation generally renders as the following: you are trying to delegate permissions for an attribute in AD through the Delegation wizard and find out that you cannot, because you don’t see the attribute in the wizard. Let me show you an example. Suppose I’m trying to delegate permissions for changing attribute emplyeeID in contact to some group. In the delegation wizard you will see the following dialog:

image

As you can see there are no employeeID checkboxes to fill in. Where are they? That’s simple enough: they are filtered out from our sight. It is done so that to ease our life, actually: there is too much of attributes for some objects, which usually are not needed. Removing them from our wizard (not only from it) makes it not so overcrowded. “But, but, but… I need it!”, you tell me. Well, no problem: let’s get the attribute back. To do so we need to make some changes to dessec.dat file in %systemroot%system32 folder (make a backup copy!). It has very simple and easy to understand structure: a section for each object we can use, which begins with [<attributename>] and ends with the beginning of the next section. For instance, the section for contact looks like the following:

image

As you can see, in the section there are lines, consisting from attribute name, “=” sign and a number. In red rectangle you see the property we cannot delegate access to. Why? Obviously it is because of number 7. What should we put in there instead? There is only three options:

  • to display both read and write options use 0
  • to display only write option use 1
  • to display only read check box use 2
  • and 7, of course will hide both options again

So, let us put here “employeeID=0” string

image

restart our ADUC console, then start Delegation wizard and:

image

Voilà!

Some extra reading:

http://support.microsoft.com/kb/296490

http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx