Manager Users

You can delegate control on the OU as Marcin has suggested.

I would recommend to create a group and add the user to this group and delegate control to edit Contact object for easy managibillty.Later if some other user need permission or need to be removed you can add/remove users from the  group.

Follow the below mentioned steps to accomplish the task.

1. Select the OU where you want to delegate the Controls.

2. Right Click OU -> Delegate Control

3. Click next on the first screen.

4. Now Add the user/group to whom you want to delegate the control. (NexT)

5. Choose the second option (Create a Customer task to delegate)

6. If you are planning to allow the user to only update the User Contact information, then Choose, "Only the following objects in the folder" -> "User Objects" (Last in the list)

Note: Here you can also to give special permission to create/delete the user objects from the OU. (NexT)

7. Choose all that applies on this page. On this page you are giving the permission what all this user can change for all other user under this OU.

8. Finish... And you are done with the delegation.

In order to allow user to edit contact from workstation PC you can install adminpak(WinXP) or

RSAT(Win7) depending upon the client OS version.

Windows Server 2003 Administration Tools Pack for winXP

http://www.microsoft.com/download/en/details.aspx?id=16770

Remote Server Administration Tools for Windows 7

http://www.microsoft.com/download/en/details.aspx?id=7887

Alternately if user want Exchange System Managment tools installed on the workstation they required permission onto Exchange as well. So in Exchange system manager if you right click the root (server name) and select "Delegate Control" and give the user "Exchange View Only Administrator" this will be adequate for the user to make changes to the OU you specify. 

To delegate permission for a domain user to:

• • add new users to container

  • change password

  • modify group membership

  • modify users properties (such as email / name etc)

  • move users between OU's

I had to create 2 groups as Delegation Wizard wouldn't let me specify what to choose on each User object when I choose more then User object. So I decided to create 2 groups. One for user management and one for group management.

First one required this steps:

• • Right click on container and choose Delegate Control

  • When Delegation Wizard opens up click Next

  • On another page choose group you want to give permissions to and press Next

  • On next page Create a custom task to delegate and choose Next

  • Choose Only the following objects in the folder and go to the bottom of the list and choose User objects. Choosing anything more then just one entry will not give you possibility of granular choice of properties to change.

  • Make sure to have Create selected objects in this folder checked and press Next

  • Choose:

    • • Read All Properties

      • Write All Properties

      • Read and write general information

      • Read and write logon information

      • Read and write phone and mail options

      • Read and write web information

      • Read and write Terminal Server license server

      • Read and write remote access information

      • Change password

      • Reset password

This allows to create user and enable / disable user but not delete it. At this moment user isn't able to change group membership as this has to be done differently.