should a user ("self") be able to update their associated Assistants Name and Phone Number by default, or do I have to grant that as a special permission? If I have to grant that as a special permission, is there a simple way to achieve this accross my user Base? Would I just delegate this at the OU level? Derek

You need to delegate a customize control to change user properties. To assign control for creating and deleting a user’s personal information in Active Directory to a user, proceed like that: 1. In the left pane, right-click Divisions OU, and then click Delegate control. The Delegation of Control wizard appears. Click Next. 2. On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to the user, double-click on the user, and then click OK. Click Next to continue. 3. On the Tasks to Delegate page, click Create a custom task to delegate. (This allows you to delegate control of the entire container.) Click Next. 4. On the Active Directory Object Type screen, click Only the following objects in the folder. 5. Scroll down to the final entry and select the User Objects check box. At the bottom of the Active Directory Object Type screen, select both Create / Delete selected objects in this folder check boxes. 6. On the Permission page, ensure that General is selected (default). Scroll down and select the Read and write personal information check box. Note: Selecting the property-specific check box will provide an additional level of detail at the attribute level. For example, if you only wanted the user to be able to change a user’s street address, you would select that particular attribute. 7. Click Next to continue. 8. On the summary page, review the proposed settings, and then click Finish. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

First, thank you for your response. So can I take this, as an indication that they are not able to update these two attributes on there own account by default, but are limited to just the Private Information attribute, ie address, home phone etc.

Hi, By default, a user (SELF) should have the permission to Read/Write Personal Information, Phone and Mail Options and Web Information which you can verify in the DACL ( access control list) on the user account object in AD Users and Computer MMC.