How to Allow the Delegation of Filtered Properties in Active Directory Users and Computers

Some of Active Directory objects' properties are not displayed when you try to delegate them using Active Directory Users and Computers administrative tool (Example: sn attribute that is used to store the Last Name). These properties are hidden to make the list of available ones for delegation easier to manage.

This article shows how to display filtered properties in Active Directory Users and Computers to allow their delegation.
Below is how you need to proceed:

• Go to %systemroot%\System32 folder, search dssec.dat file and open it using Notepad

• Find the object property to update and then set one of the following filter values:
  • 0: To Display Read and Write permissions for the property
  • 1: To Display only the Write permission for the property
  • 2: To Display only the Read permission for the property

Remark: If you set 7 as the filter value then Read and Write permissions for the property will no longer be displayed.

Once you finish updating the property filter value, you would be able to see the Read, Write or Read / Write permissions for the properties when you try to delegate them.