Re: Resetting passwords with ldp
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Tue, 30 May 2006 20:56:12 -0400
You don't delegate specific properties for reset password rights, you delegate the Reset Password Extended Right.
You might want to check out the Microsoft Active Directory Delegation White Paper for more info.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Kevin Crowley wrote:
Hi..
I have a situation where I want a specific ADAM user in charge of
resetting ADAM user passwords for a group of customers. I don't want
him to have control over everything, only being able to reset
passwords. I also don't want him to be able to see anything outside his
scope. So I created him, and a role specific to this type of user,
should the need for a second one ever arise, and ran a few lines
through dsacls to give him the permissions he needs, but something is
not totally right because it still barks back "insufficient rights".
Here are my commands and the LDP output. I'm able to get the scope down
to the right ou, and also bind correctly. I'm using the ldp option to
encrypt traffic after bind, and just to be sure that's not the problem,
I also used dsmgmt to disable the encrypted traffic requirement.
C:\WINDOWS\ADAM>dsacls
"\\localhost:50001\ou=Customers,ou=Apps,dc=burgiss,dc=sso" /G
"CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso":WPRP;unicodepwd;user
/I:S
C:\WINDOWS\ADAM>dsacls
"\\localhost:50001\ou=Customers,ou=Apps,dc=burgiss,dc=sso" /G
"CN=Password
Resetters,CN=Roles,DC=burgiss,DC=sso":WPRP;unicodepwd;group /I:S
C:\WINDOWS\ADAM>dsacls
"\\localhost:50001\ou=Customers,ou=Apps,dc=burgiss,dc=sso" /G
"CN=Password
Resetters,CN=Roles,DC=burgiss,DC=sso":WPRP;userpassword;user /I:S
C:\WINDOWS\ADAM>dsacls
"\\localhost:50001\ou=Customers,ou=Apps,dc=burgiss,dc=sso" /G
"CN=Password
Resetters,CN=Roles,DC=burgiss,DC=sso":WPRP;userpassword;group /I:S
C:\WINDOWS\ADAM>dsacls
"\\localhost:50001\ou=Customers,ou=Apps,dc=burgiss,dc=sso" /G
"CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso":GR;; /I:T
At the end dsacls says the perms look like this:
Owner: CN=Administrators,CN=Roles,DC=burgiss,DC=sso
Group: CN=Administrators,CN=Roles,DC=burgiss,DC=sso
Access list:
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Readers,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS <Inherited from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=burgiss,DC=sso
FULL CONTROL <Inherited from
parent>
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Readers,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS <Inherited from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=burgiss,DC=sso
FULL CONTROL <Inherited from
parent>
Inherited to user
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS
WRITE PERMISSIONS
Inherited to group
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS
WRITE PERMISSIONS
Inherited to user
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS for unicodePwd
WRITE PROPERTY
READ PROPERTY
Inherited to group
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS for unicodePwd
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS for userPassword
WRITE PROPERTY
READ PROPERTY
Inherited to group
Allow CN=Password Resetters,CN=Roles,DC=burgiss,DC=sso
SPECIAL ACCESS for userPassword
WRITE PROPERTY
READ PROPERTY
The command completed successfully
When I go into LDP and bind as the user, I go to tree, and type in his
ou root: ou=customers,ou=apps,dc=burgiss,dc=sso And that shows up fine.
I tried it with leaving it blank and it doesn't list anything other
than the domain schema and configuration, so that works the way I want
it. But if I highlight any particular customer, go to modify, and put
attribute: userpassword, value <password>, ldp spits out:
***Call Modify...
ldap_modify_s(ld,
'CN=0007eada-4e72-46db-b5e2-048e46294a4d,OU=Customers,OU=Apps,DC=burgiss,DC=sso',[1]
attrs);
Error: Modify: Insufficient Rights. <50>
Server error: 00002098: SecErr: DSID-03152052, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
Error 0x2098 Insufficient access rights to perform the operation.
-----------
I guess what I'm really asking is, what other lines do I need to put
into DSACLS to make this function properly?
- References:
- Resetting passwords with ldp
- From: Kevin Crowley
- Resetting passwords with ldp
- Prev by Date: Re: csvde export, excluding specific OU's.
- Next by Date: Re: Applied security groups
- Previous by thread: Resetting passwords with ldp
- Next by thread: Resetting passwords with LDP
- Index(es):
Relevant Pages
|
