1. Ensure that you have selected the correct object type in the applies to
section. If that's no good, use ADSIEDIT or DSACLS as ADUC masks some stuff
from you.

2. You need to evaluate and deploy a tool to do this. Many people prefer
3rd party or custom developed web sites. Others prefer a custom MMC in a
taskpad view. Others buy 3rd party enterprise products that do this and
much more. You need to do one of the above.

If you don't have the resources for a web front end, consider a custom MMC
taskpad. You'll need to install the adminpak on the workstation, and the
taskpad. You might be able to get away with only some of the adminpak:
-- http://support.microsoft.com/kb/314978

Hello,

Let me try to help you with this solution. First, you can try to use the
delegation wizard, but sometimes that is not as granular as people would
like. So lets say you want to give permissions to the "hdesk" group to
change the city and state attributes on your "sales users" OU.

Right click on the "sales users" OU and select properties > Security tab
Applies onto field select "User objects".

You won't see the city attribute show up here (its attribute name is
actually "l") but you can find out which "property set" it belongs to. You
can see the property sets defined here:
http://technet2.microsoft.com/WindowsServer/en/library/2044d125-cfb2-428c-aa8c-c4e5ac007ba41033.mspx?mfr=true

The "Personal Information" property set might work for you. It contains
"Locality-Name" and "State-Or-Province-Name".

Here is another helpful article:
http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

The second part of this is to delegate a nice interface to the employees you
would like to manage your data. Most IT people do not want to put tools
like ADUC (even in task pad form) in the hands of HR employees, low-level
helpdesk employees, and other non-IT manager folks.

DSRAZOR for Windows can help you out with this part. There are standalone
applets that you can depoloy to the user's desktops or to a network share
that lets them edit the information in Active Directory. The applet is fully
customizable in the Designer so that you can pick which fields you want your
users to see and be able to edit. This creates a nice, clean UI for your
users that they will be comfortable and familiar with. You can have them
edit any attribute you want, as long as they have permissions.

Check it out at www.visualclick.com/?source=delegate022707
You can sign up for a free evaluation or a free one-on-one web meeting with
an engineer to show you how this can work in your environment.
--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com