Re: Deligating control
- From: "Jorge de Almeida Pinto" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Sat, 24 Dec 2005 20:28:29 +0100
well here it goes and have fun with it
################################
1. JOIN COMPUTERS TO THE DOMAIN
---------------------------------
Well, this is possible through the Delegation of Control Wizard. Read the
following first which gives some recommendations.
The User Right "Add workstation to the domain" by default (configured in the
Default Domain Controllers GPO) grants EVERY AUTHENTICATED USER (even
non-admin
users) in the domain to add/join workstations to the domain. It is best to
remove "authenticated users" from that user right or set the quota to 0
For true delegation it is better to delegate the right to create computer
accounts and to join computers as mentioned below
Using the delegation of control wizard you can delegate the creation of
computer accounts to the domain. This does not mean the same user/group can
also JOIN the computer to the domain. In the DELEGWIZ.INF file
(%WINDIR%\INF)
look at template 6.....
By default the "AppliesToClasses" is set to "domainDNS" (case sensitive and
without quotes) With this you can only delegate computer account creation at
domain level. Change that to "domainDNS,organizationalUnit,container" (case
sensitive and without quotes) and yuo will be able to delegate at OU level
If you delegate the creation of computer accounts to a group (e.g.
GROUP-CREATE-COMPOBJ), the member of that group that creates the computer
becomes the owner of the computer account and automatically receives the
right
to join a computer with that name to the domain. The other members of that
group will not be able to join the computer to the domain. In this case only
the user that created the computer account will be able to join the
computer.
Lets say you have another group called GROUP-JOIN-COMP that is allowed to
join
(not create computer accounts) to the domain, the user who creates the
computer
account has the possibility to designate which user or group gets the rights
to
join the computer to the domain with the option ("The following group or
user
can join this computer to a domain" and this is by default Domain Admins
group)
The group mentioned in that option will be able to join the computer to the
domain. In my opinion that is a lot of work just to create a computer
computer
account and join it.
It is however possible to pre-configure the option called "The following
group
or user can join this computer to a domain and this is by default Domain
Admins
group"
Add to the DELEGWIZ.INF file (%WINDIR%\INF) a NEW template you can use to
delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation of
computer accounts) The minimum rights are mentioned below!
REPLACE THE X with a NUMBER!
;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Join a computer to the domain in an OU (computer account
pre-created)"
ObjectTypes = computer
[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated
write to service principal name", "Account Restrictions"
;----------------------------------------------------------
This way you can delegate the creation of computer accounts to group1 and
the
joining of the computers to group2.
It is also however possible you have a group of people who create computers
accounts and also join them. To able so everyone in that group can create a
computer accounts and join the computers to the domain independent who
created
the computer accounts replace TEMPLATE 6 with what is mentioned below or
perform the delegate twice with the additional task created above! If you
want
to join a computer to the domain in a specific OU and the computer account
has
not been pre-created you cannot use the GUI at the computer. For this you
must
use the tool NETDOM so you can specify the OU the computer account must
reside
in! The latter only is only possible when you at least have the right to
create
a computer object in the designated OU. Joining will also be possible
because
you automatically become the owner of the computer account!
;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Add and/or join a computer to the domain in an OU (computer)"
ObjectTypes = SCOPE, computer
[template6.SCOPE]
;Right to create computer objects
computer=CC
[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated
write to service principal name", "Account Restrictions"
;----------------------------------------------------------
################################
2. MOVE COMPUTERS BETWEEN OU'S
---------------------------------
In order to move an object in DS, you need the following three permissions:
1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and
CN (or whatever happens to be the rdn attribute for this class, i.e. ou for
org units).
3) CREATE_CHILD on the destination container.
This is not available through the delegation of control wizard, thus you
need to customize in the delegation of control wizard by selecting the
correct properties.
################################
3. RESET USER PASSWORDS
---------------------------------
To reset user passwords you need the "Reset Password" extended right on the
user object. This is also available through the delegation of control wizard
using the common delegated task "Reset a user account's password"
If you want to reset user passwords and force password change at next logon
you need the "Reset Password" extended right on the user object and you need
Read/Write permissions on the attribute "pwdLastSet". This is also available
through the delegation of control wizard using the common delegated task
"Reset user passwords and force password change at next logon"
################################
4. Unlock user accounts
---------------------------------
To unlock accounts you need the read/write permission on the "lockoutTime"
attribute on the user object. Unfortunately this is not available through
the delegation of control wizard using the common delegated task like
"Unlock a user account" However still using the delegation of control wizard
you can create a custom task that applies to user objects and is property
specific. In the list shown select "read lockoutTime" and "write
lockoutTime".
--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"jagan" <jagan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1B2850A7-2D39-4040-B0F6-EAF45DF1A5D1@xxxxxxxxxxxxxxxx
> Hi,
>
> I would like to deligate following tasks for a universal Security group in
> our organization.
>
> 1. Add computer to domain.
> 2 .Move computers from one OU to other.
> 3. unlock user ackount.
> 3.Reset user password.
>
> how can I accomplich this tasks using deligating control ?
>
>
>
>
> I have tried issuing beolow permissions on domain Level to accomplish
> this.
>
> 1.given full control on comuter accounts( To add computer into domain move
> computers from one OU to another.).
> 2.Given full control on user accounts (to unlock user Account and reset
> password.)
>
> when I agive this permiions combidly its not working.
>
> What could be the problem,
>
> You r help would be appriciated.
>
>
.
- Prev by Date: Re: Active Directory vs. Novell NDS (Workgroups vs. Domains)
- Next by Date: Re: Need help with AD
- Previous by thread: Re: Deligating control
- Next by thread: Re: Administrator in wrong group
- Index(es):
Relevant Pages
|
Loading
