Servers.Manager
New Member
So here's the scenario i'm trying to find a solution for.my company currently has a records system for it's staff, but it is not linked to active directory. we have duplicate, and often inaccurate data because of this. what i'm trying to do allow the records system to update values in active directory, however i want to scope what can be changed and by who. so [*]when we have a new hire, IT will enter in the initial record, which would also create the AD user.[*]hr comes along and updates title/description/phone/address etc., but they shouldn't be able to create or delete a record from the system. (they'll have to file a ticket, or something)i've been trying to read about the kerberos double-hop problem, and it seems i need the ability to delegate, however, my own IT powers aren't high enough. i could escalate and try and get sign off from the higher level IT folks to grant delegation to an account, but i'm saving that as a last resort.I would like to accomplish things using impersonation, but i'm having a hard time finding a clear answer on how to implement impersonation.i have enabled impersonation in web.config, and in iis. i have set the appPool Identity to network service. after that, i'm lost on what to do next or how to test settings.