How do I delegate control of the thumbnail photo field?

Abstract

You want to grant a Domain User the role of updating users' Outlook pictures in your Global Address List using Exclaimer Outlook Photos, but you do not want to give the user the ability to change all attributes for Domain Users in your Active Directory Domain.

Description

You must give Delegated Control to the assigned user, granting them read and write access to the Active Directory attribute "thumbnailPhoto". This can be achieved following the steps below on your Domain Controller. Note: You can also use Microsoft Windows Remote Server Administration Tools (RSAT) to remotely make these changes from your Microsoft Windows desktop computer if you have them installed.

1. Load "Active Directory Users and Computers" Management Console (dsa.msc).
2. Right click on the Domain or Organizational Unit containing the Domain Users that you would like your assigned user to be able to upload pictures for and select "Delegate Control". The "Delegation of Control Wizard" will be displayed on the screen. Click Next:
3. Click the "Add" button to add the user(s) or group who you would like to grant permissions to change the Outlook Photo to and click Next.
4. On the "Task to Delegate" page click the radio button "Create a custom task to delegate". Click Next:
5. On the "Active Directory Object Type" page choose the radio button "Only the following objects in the folder" and tick the check box "User objects". Click Next:
   
6. On the "Permissions" page tick the check box "Property-specific" then in the permissions list tick the boxes for "Read thumbnail Photo" and "Write thumbnailPhoto". Click Next:
   
7. Click "Finish" to complete the "Delegation of Control Wizard".

The assigned user(s) or group will now be able to read and write to the "thumbnailPhoto" attribute. For the permission changes to take effect, the user(s) will be required to log off and then logon.