Using information from TechNet's Using Scripts to Delegate Control of Active Directory and MSDN's Personal-Information Property Set, I have scripted Grant_Personal_Information.vbs to grant all users the right to maintain their own personal information.

To use the Grant_Personal_Information.vbs:

1. Log onto the domain you wish to configure with Domain Admin authority.

2. Open a CMD.EXE window.

3. Switch to the folder that contains the Grant_Personal_Information.vbs script.

4. Type the following command and press Enter:

cscript //nologo Grant_Personal_Information.vbs

Grant_Personal_Information.vbs contains:

                              On Error Resume Next                              Dim objConnection, objCommand, objRootDSE, strDNSDomain                              Dim strFilter, strQuery, objRecordSet, DOM                              Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5                              Const ADS_RIGHT_DS_READ_PROP = &H10                              Const ADS_RIGHT_DS_WRITE_PROP = &H20                              Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1                              Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2                              Set objConnection = CreateObject("ADODB.Connection")                              Set objCommand = CreateObject("ADODB.Command")                              objConnection.Provider = "ADsDSOOBject"                              objConnection.Open "Active Directory Provider"                              Set objCommand.ActiveConnection = objConnection                              Set objRootDSE = GetObject("LDAP://RootDSE")                              strDNSDomain = objRootDSE.Get("defaultNamingContext")                              strBase = "<LDAP://" & strDNSDomain & ">"                               strFilter = "(&(objectCategory=person)(objectClass=user))"                              strAttributes = "distinguishedName,sAMAccountName"                              strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"                              objCommand.CommandText = strQuery                              objCommand.Properties("Page Size") = 99999                              objCommand.Properties("Timeout") = 300                              objCommand.Properties("Cache Results") = False                              Set objRecordSet = objCommand.Execute                              Set oShell = CreateObject( "WScript.Shell" )                              DOM=oShell.ExpandEnvironmentStrings("%USERDOMAIN%")                              objRecordSet.MoveFirst                              Do Until objRecordSet.EOF                                  strDN = objRecordSet.Fields("distinguishedName")                                  strSAM = objRecordSet.Fields("sAMAccountName")                                  Set objSdUtil = GetObject("LDAP://" & strDN)                                  Set objSD = objSdUtil.Get("ntSecurityDescriptor")                                  Set objDACL = objSD.DiscretionaryACL                                  Set objAce = CreateObject("AccessControlEntry")                                  objAce.Trustee = DOM & "\" & sAMAccountName                                  objAce.AceFlags = 0                                  objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT                                  objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT                                  objAce.ObjectType = "\{77b5b886-944a-11d1-aebd-0000f80367c1\}"                                  objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP                                  objDacl.AddAce objAce                                  objSD.DiscretionaryAcl = objDacl                                  objSDUtil.Put "ntSecurityDescriptor", Array(objSD)                                  objSDUtil.SetInfo                                  objRecordSet.MoveNext                              Loop                              objConnection.Close                              writefile.close                              Set objConnection = Nothing                              Set objCommand = Nothing                              Set objRootDSE = Nothing