Task Delegation

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi guys,

At the moment our dept is trying to delegate some of our user tasks to 1st
line support to free a bit more of our time up! We want 1st line to be able
to:

1) Reset user passwords
2) Unlock user accounts
3) Enable disabled users

I've written a pretty much foolproof VB script (if there is such a thing) to
allow them to do that (didn't want to give them AD U&C as they would be
tempted to look around).

I've been testing this script under my account on our test domain (domain
admin) and everything was working spot on. I created a test user with the
same privileges as a 1st line support person and tried to test it under
there. Originally I got "Access Denied" errors when I tried to reset a
password so I did the following...

Created a new group "User support" and gave it the following permissions on
the highest OU I wanted them to have control over in the advanced permissions
menu...

1) Object tab
.....Apply onto: User Objects Only
....."Reset Password" - "Allow"

2) Properties tab
.....Apply onto: User Objects Only
....."lockout time" - "Read"
....."lockout time" - "Write"
....."pwdLastSet" - "Read"
....."pwdLastSet" - "Write"

When I log on as the account now and try to change a users password through
AD U&C it works fine, but if I try it from the script I get a "General Access
Denied" error message.

Can anyone tell me if I've missed a permission off from somewhere, or does
anyone have any links that would help describe what each of these permissions
are?

Any help is much appreciated.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We would have to see your script to be sure. But my guess is you used the WinNT
provider instead of the LDAP provider. They require different levels of
permissions because they use different API's in the backend.

Also I hope you don't think you are securing things by not giving ADUC to the
support folks, i.e. security by obscurity. Assume they will get that or some
other tool that can look at all of AD and make sure you are secure against them
doing damage.

Also note that nothing you gave will give the ability to enable a disabled user.
That is controlled by the useraccountcontrol attribute but it also controls
several other things such password never expires, etc.

joe




--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Tomski wrote:
> Hi guys,
>
> At the moment our dept is trying to delegate some of our user tasks to 1st
> line support to free a bit more of our time up! We want 1st line to be able
> to:
>
> 1) Reset user passwords
> 2) Unlock user accounts
> 3) Enable disabled users
>
> I've written a pretty much foolproof VB script (if there is such a thing) to
> allow them to do that (didn't want to give them AD U&C as they would be
> tempted to look around).
>
> I've been testing this script under my account on our test domain (domain
> admin) and everything was working spot on. I created a test user with the
> same privileges as a 1st line support person and tried to test it under
> there. Originally I got "Access Denied" errors when I tried to reset a
> password so I did the following...
>
> Created a new group "User support" and gave it the following permissions on
> the highest OU I wanted them to have control over in the advanced permissions
> menu...
>
> 1) Object tab
> ....Apply onto: User Objects Only
> ...."Reset Password" - "Allow"
>
> 2) Properties tab
> ....Apply onto: User Objects Only
> ...."lockout time" - "Read"
> ...."lockout time" - "Write"
> ...."pwdLastSet" - "Read"
> ...."pwdLastSet" - "Write"
>
> When I log on as the account now and try to change a users password through
> AD U&C it works fine, but if I try it from the script I get a "General Access
> Denied" error message.
>
> Can anyone tell me if I've missed a permission off from somewhere, or does
> anyone have any links that would help describe what each of these permissions
> are?
>
> Any help is much appreciated.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Joe,

Thanks for the response.

Yes, I am using the WinNT provider. I'll switch to LDAP and retest.

I'm not under the impression that I am securing the system through
obscurity. This is why I wanted to lock down the users' permissions as tight
as possible so even if they could see the domain, they wouldn't be able to do
anything with it. Not giving them ADU&C was more of a management decision!

After looking into this problem a bit more I discovered that the
useraccountcontrol permission was needed so I changed the script accordingly.

Once again, thanks for your response.



"Joe Richards [MVP]" wrote:

> We would have to see your script to be sure. But my guess is you used the WinNT
> provider instead of the LDAP provider. They require different levels of
> permissions because they use different API's in the backend.
>
> Also I hope you don't think you are securing things by not giving ADUC to the
> support folks, i.e. security by obscurity. Assume they will get that or some
> other tool that can look at all of AD and make sure you are secure against them
> doing damage.
>
> Also note that nothing you gave will give the ability to enable a disabled user.
> That is controlled by the useraccountcontrol attribute but it also controls
> several other things such password never expires, etc.
>
> joe