HIDDEN: Setting special permissions for updating only specific attributes in Active Directory

This article may be used to adjust attribute permissions for use by Directify or UnitySync.

For UnitySync (creation and modification of objects) or Directify (editing objects), you may wish to restrict updates to only specific Destination attributes. To accomplish this, we suggest fine-tuning permissions for the Active Directory (AD) login account so that it only has write permissions to those specific attributes. This can be done in AD as follows:

Create a login account on the destination directory (i.e. SSUser)

In AD Users and Computers, turn on Advanced Features.

Right click on Container where you want to set permissions.

Select Permissions.

Click Security tab.

Click Advanced.

Click Add.

Select the AD account and click OK.

On the Permissions Entry window, click the Properties tab.

On the Apply To: menu, select User Objects.

Click to give Write access to each of the desired attributes. (See below note if your attribute is not listed.)\

Click OK, OK, OK to save and exit.

Note: Not all attributes are available in the User Objects list by default. If the attribute you need is not available, you may use the below information to configure your DSSEC.DAT file to make them available.

The file %WINDIR%\System32\DSSEC.DAT contains the filter settings. Using “lockoutTime” attribute as an example, this article describes how to make an attribute available. This process can be applied to any attribute.

More information available at http://support.microsoft.com296490