So, we want to delegate control of specific OUs in Active Directory to users, but only allow them to change phone numbers and titles. So far I've been able to restrict nearly everything by allowing or denying the user specific security permissions for user objects in the OU. However, I cannot seem to find how to restrict access to the "Last Name", "Initials", and "E-mail" fields in ADUC.
Could someone please help me find the permissions to set to block any changes to those fields?
Here is where I'm setting the permissions: