In "Setting Active Directory Property Permissions," July 2000, InstantDoc ID 9187, you explained how to use dssec.dat to expose hidden permissions for individual properties. I need to edit the values of some properties that Active Directory (AD) defines for user objects but that don't appear in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. For example, AD defines a property for Social Security number, but no corresponding field appears in the user's property sheet. Can I use the GUI to view some of these properties? Can I expose a property so that it shows up as an additional tab in the Active Directory Users and Computers snap-in?

As you know, the Active Directory Users and Computers snap-in doesn't expose all permissions for each user-object property. As a result, the granularity with which you can delegate access to subadministrators is limited.

For example, when you look at a user object's Advanced Security Settings dialog box, you don't see an entry for lockoutTime, which is the field to which you must have write access if you want to unlock a user account. You can edit dssec.dat so that fields that by default are hidden show up in the advanced permissions dialog box. However, dssec.dat has no effect on which properties the Active Directory Users and Computers snap-in displays data entry fields for. The fields you see when you open a user object are hard-coded.

To read or write to other properties, you need to write a script that uses Microsoft Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) Directory Exchange (Ldifde) utility. Ldifde lets you use a simple text file and command-line parameters to import objects to and export them from AD. For more information about Ldifde, see "The LDIF Directory Exchange Tool," June 2003, InstantDoc ID 38947.