We have several Linux servers that are AD integrated, all our DC's are Server 2008R2 running at 2003 DFL and FFL with MSSFU installed. I wish to delegate the population of the UNIX Attributes tab to an AD group for our Service Desk. I have delegated read, write and read all, write all permissions for all msSFU*** objects. When testing the permissions I open Users & Computers, open a user and switch to the UNIX Attributes tab. I then select the domain from the drop down which auto populates the rest of the fields, no problem. When I click apply I get the below error, but if I check the attributes themselves in Attribute editor they have populated and I can use the user in Linux.
Unable to modify the object property values.
Check your credentials.
There could be a network problem.
Active Directory Domain Services could be down.
Contact your system administrator.
I do not want to give the group "Full Control" of the OU's as per other threads, this is not an adequate answer, I do not wish to give the group this much control. I should point out that the setup works perfectly as a domain admin for obvious reasons. Any help will be gratefully received.
