Christoph was implementing a function into Active Directory Integration (ADI) (a WordPress plugin for Active Directory authentication and authorization) called Sync Back. With this function WordPress users are able to write back their WordPress profile to their Active Directory account.
A problem that occured was that by default Active Directory users belonging to security principal Domain Users are only allowed to read but not to write their own attributes. Christoph implemented a WordPress setting which uses a global Active Directory user who has write permissions to every account – this user (setting is called Global Sync User in ADI) belonged to the security group Domain Adminstrators. You have security considerations? I had.
After a few minutes we modified the security settings in the Active Directory schema so that users are able to change their own Active Directory profile / attributes.
The steps are easy:
- Start ADSIEdit.msc as a user belonging to security group Domain-Administrators, e.g.
runas /user:email@example.com "adsiedit.msc"
- Connect to your Domain Controller and navigate to the organization unit of your choice in which the users are allowed to change their profile, right click on the OU (e.g. OU=Power User) and select Properties.
- Select the tab Security and scroll down to the security principal SELF. If it does not exist (which is the default for OUs but not for CNs) click on Add and type SELF into to object name text field.
- Select SELF and grant the Write permission.
- You can grant the Write permission to OUs or CNs. If you grant it to a OU every user below the OU can change their own attributes but not the attributes of other users in the same OU. SELF will be automatically replaced by Active Directory security mechanism by the current logged on user.
- Users with Write permission can change every own user attribute in Active Directory Users and Computers MMC except for Account supports Kerberos AES-*-Bit encryption and the Member of tab.