mathias dufresne
2015-Dec-07 12:36 UTC
[Samba] Give users possibility to manage part of their AD account
Hi all, Is there a way to give users (all AD users for a start) the possibility to manage themselves some of their user attributes (as loginShell for example)? Thanks and regards, mathias
Marc Muehlfeld
2015-Dec-07 20:44 UTC
[Samba] Give users possibility to manage part of their AD account
Hello, Am 07.12.2015 um 13:36 schrieb mathias dufresne:> Is there a way to give users (all AD users for a start) the possibility to > manage themselves some of their user attributes (as loginShell for example)?This sounds dangerous, but you can set directory ACLs for that. Two examples for delegation tasks, you can find in these doc: https://wiki.samba.org/index.php/Delegation/Join_machines_to_a_domain https://wiki.samba.org/index.php/Delegation/Account_management But be warned: Setting wrong ACLs in your directory can have serious effects - from security issues to a broken AD. So make sure you have a working backup and know exactly what you're doing! Regards, Marc
Ole Traupe
2015-Dec-08 16:05 UTC
[Samba] Give users possibility to manage part of their AD account
You can configure OU delegation from ADUC. Ole Am 07.12.2015 um 21:44 schrieb Marc Muehlfeld:> Hello, > > Am 07.12.2015 um 13:36 schrieb mathias dufresne: >> Is there a way to give users (all AD users for a start) the possibility to >> manage themselves some of their user attributes (as loginShell for example)? > This sounds dangerous, but you can set directory ACLs for that. > > Two examples for delegation tasks, you can find in these doc: > https://wiki.samba.org/index.php/Delegation/Join_machines_to_a_domain > https://wiki.samba.org/index.php/Delegation/Account_management > > But be warned: Setting wrong ACLs in your directory can have serious > effects - from security issues to a broken AD. So make sure you have a > working backup and know exactly what you're doing! > > > Regards, > Marc >