Today, I was trying to help a client delegate permission to a specific Security Group to be able to modify a few attributes on user objects in Active Directory, an easy enough task. However when I went to check the boxes for Read and Write for Last Name and Office Location, they were inexplicably missing (even though ones for First Name and Display Name were).
As it turns out, for some odd reason these attributes aren't published to assign permission to them by default. To enable these to show up, close out of AD Users and Computers and navigate to C:\Windows\System32. In here, make a backup of the file dssec.dat, then open the original. Scroll down to the [user] section and change the value for the attributes you can't find from 7 to 0, in my case sn (Last Name) and physicalDeliveryOfficeName (Office Location). Then save the file, relaunch AD Users and Computers, attempt to delegate the permissions again and voila, they will appear to be checked. NOTE: This is a local setting ONLY, so if you need to delegate permissions that aren't showing on another computer via AD Users and Computers, you will need to modify the local copy of the dessec.dat file on that computer.
