12 October 2012

Active Directory Delegation

It's been a while since my last post and now is time to add new one :)

Today I was at the customer with a task to delegate some Active Directory permissions for Help Desk users.

My task was to create a "script" for:
- Delegate Unlock user account.
- Delegate Reset password to user account.
- Delegate Move computer account from default folder to designated OU.
- Delegate Add or remove users from security or distribution group.
- Delegate Change some of user object attributes (Telephone number, Mobile phone number, Office, Department, ...).

Of course you can do all of this with GUI but we're a bit lazy, we don't want to click a lot and the most important reason we sure want to look smart, so that's why we use command line.

If you still decide to use GUI you'll probably need to edit DSSEC.DAT (under Users add pwdLastSet=0), to display some attributes.

For this task I used command dsacls.exe, and here you can find more about it.

We also used two security groups approach. Resource security group (Change password, Unlock user account, ...) and Users security group (Help Desk). At the end we added Users security group into all Resource security groups. With this we achieved that members of Users security group are able to do all the necessary tasks regarding users and computers management.

So let's get to business :)

To delegate password reset and unlock user you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:ca;reset password;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;pwdlastset;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;lockouttime;user

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate add/remove group membership you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupNam:rpwp;member;group

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where groups are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate moving computers between OU's you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:t /g domain\SecGroupName:cc;computer;
dsacls cn=computers,dc=domain,dc=com /g domain\SecGroupName:dc;computer;
dsacls cn=computers,dc=domain,dc=com /i:s /g domain\SecGroupName:wp;;computer

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU to where you want to move computers
"cn=computers,dc=domain,dc=com" is folder from where you want to move computers
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate changing user attributes you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;telephonenumber;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;company;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;mobile;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;physicaldeliveryofficename;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;roomnumber;user

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU to where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

There are at least two approaches that can be used in bigger productions instead using command lines below. First is to use Excel (concatenate) and the second is to use batch scripts like in the sample below.

In this sample we'll delegate add/remove group membership with a batch script.

1. Create Delegate-AdRights.bat
2. Edit Delegate-AdRights.bat and copy paste code below into it.
dsacls %1 /i:s /g %2:rpwp;member;group
3. Run batch file in command prompt with additional variables as shown below
Delegate-AdRights.bat ou=ou_name,dc=domain,dc=com domain\SecGroupName

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

This is it for today. Have fun!

1 comment: