How to delegate access to the RFC2307 UNIX attributes in Active Directory (AD), that QAS uses for storing UNIX account information, using ADUC (Active Directory Users and Computers).  

Permissions needed to edit values in Unix Account Tab in ADUC.  

Greyed out Unix-enabled in the Unix Account tab.

NOTE:

These steps assume a base level of permissions for a normal active directory user which would typically include additional permissions like Read and List objects in the domain itself. For more specifics beyond this, it is recommended to work with Microsoft support or professional services.

Delegating Basic (Read/Write) access to RFC2307 UNIX attributes

1. Open ADUC (Active Directory Users and Computers)
2. Select the OU that contains the users/groups for which you wish to delegate access to the UNIX permissions
3. "Right-Click" the OU and select "Delegate Control", Click "Next", Click "Add" then enter user/group that you wish to delegate permissions to then click "OK", Click "Next", select "Create a custom task to delegate" radio button, Click next, Select "Only the following objects in the folder" radio button, **Check "User objects", Click "Next", Uncheck "General", Check "Property-specific", Check UNIX attribute boxes based on Read/Write requirements, "Next", Click "Finish"

Delegating Advanced (Allow/Deny) Security access to RFC2307 UNIX attributes:

1. Open ADUC (Active Directory Users and Computers)
2. Select the OU that contains the users/groups for which you wish to delegate access to the UNIX permissions
3. "Right-Click" the OU and select "Properties", select the "Security" tab, Click "Add", Click "Add", Enter the user/group that you wish to delegate permissions to then click "OK", Click "Edit" for the new User/Group, select the "Properties" tab, Select "Descendant User Objects" from the "Apply to" drop-down list, **Check UNIX attribute boxes based on Allow/Deny requirements (see above),Click "OK", Click "Apply",Click "OK"

**UNIX attributes:

uidNumber
gidNumber
gecos
unixHomedirectory
loginShell

Please note if you are using any custom attributes they will need to be able to be read/write as well.  You can check the control center tool to see what is configured.  On Unix side you can run the following as root and it will list the attributes being used and the QAC:

The account will also need to read and list object from the Quest Application Configuration (QAC) container in AD.  For more details about the QAC please click here.