Re: Delegating AD Rights (Enable/Disable Accounts)

Hi Sam,

Thank you for your feedback., I will definitely pass it on to my Customer
Svc mgr. I appreciate the opportunity to show you what's out there in terms
of user management tools.


Dave Denmark,
MCSE+I, MCDBA
www.advtoolware.com


Sam wrote:
Unfortunately due to the small scale of the project and the fact that
it won't be used that often, 2 users managing 6 accounts between
them, a commerical package can't be justified. Had I a budget for
this I'd of ordered Javlina's ADtoolkit is a flash as it does exactly
what I want out of the box.

For this a homegrown script/app is a must although I appreciate the
sales pitch.


Sam Gaw wrote:
I'm in the middle of trying to work out how to delegate control over
user accounts in AD to non-admin staff so that they will be able to
enable & disable guest accounts within a specific OU.

Originally I had looked at just building up a custom MMC and only
delegating the enable/disable permissions to a security group that
would then use the snap-in but because this will be used my non
technical staff even that confused them so I'm now looking at the
option of a HTA app or something along those lines were the only
thing shown to the staff is the accounts & an the enable/disable
buttons.

Unfortunitly this has proven more difficult than I originally
thought it would be & was wondering if anyone had done anything
remotely similar or had any pointers to get me moving in the right
direction?

Any help or advice on this would be very much appreciated.

Hi Sam,

Instead of working with standard Microsoft tools, I would recommend
that you take a look at the User Management Resource Administrator
Forms & Delegation module. With it, you can create an easy to use
interface (functions similar to a web form) that is connected to
scripts to handle user management (such as enable/disable). Also
part of the UMRA are powerful LDAP tables, that can search AD and
show you a specific set of results for your users to view (such as
all enabled users in a specific OU for the Disable User form, vice
versa for the Enable User form).

On top of all of this, you do not need to give your non-admin users
administrative privileges on the network, or even any special
permissions as Domain User rights will work just fine. The UMRA
works as a proxy service to Active Directory, allowing users that
have permission to load a project, access to execute the project.
Users that do not have permission to run it will not even see the
form. The Form client handles all authentication for the users, so
all you need to do is map a shortcut to the client and your forms
are ready to go. For more information on the security aspects,
please let me know.

You can check out the UMRA at our web site www.advtoolware.com or
send us an e-mail to support -at- advtoolware -dot- com.

Thanks,

Dave Denmark


.