Skip to main content

Creating a taskpad and delegating several admin tasks like join domain permission

 Creating a taskpad and delegating several admin tasks

JOIN COMPUTERS TO THE DOMAIN - MOVE COMPUTERS BETWEEN OU'S - RESET USER PASSWORDS - CREATE EXCHANGE MAILBOXES - ADD AND REMOVE GROUPS TO USERS - Unlock user accounts

For information on how to create and use Taskpad Views see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/3d0c783c-7789-4400-953b-d22a501ae535.mspx
http://www.winsupersite.com/showcase/win2k_taskpad.asp
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

If for some reason you want to delegate the use of some attribute and that attribute is not listed in the in the property/attribute specific list, then that attribute is hidden from being viewed. To be able to use that attribute in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in %WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you are making changes under the correct [OBJECT]) and change the value 7 to a value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and Computers. Before doing this make copy of the original DSSEC.DAT (e.g. DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT (e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file you have lost your changes)
Sakari Kouti (http://www.kouti.com/) also has some info about the use of the DSSEC.DAT file. Go to http://www.kouti.com/scripts.htm and search for "Modified DSSec.Dat" (without the quotes!)

The following are some example tasks and information about them. For more and additional information on delegating tasks see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
AND
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

################################
1. JOIN COMPUTERS TO THE DOMAIN
---------------------------------
Well, this is possible through the Delegation of Control Wizard. Read the following first which gives some recommendations.

The User Right "Add workstation to the domain" by default (configured in the Default Domain Controllers GPO) grants EVERY AUTHENTICATED USER (even non-admin users) in the domain to add/join workstations to the domain. It is best to remove "authenticated users" from that user right or set the quota to 0 (which is specified in the "ms-DS-MachineAccountQuota" attribute on the domain NC head)(see: http://support.microsoft.com/?id=251335).

For true delegation it is better to delegate the right to create computer accounts and to join computers as mentioned below.

Using the delegation of control wizard you can delegate the creation of computer accounts to the domain. This does not mean the same user/group can also JOIN the computer to the domain. In the DELEGWIZ.INF file (%WINDIR%\INF) look at template 6.....
By default the "AppliesToClasses" is set to "domainDNS" (case sensitive and without quotes) With this you can only delegate computer account creation at domain level. Change that to "domainDNS,organizationalUnit,container" (case sensitive and without quotes) and yuo will be able to delegate at OU level.

If you delegate the creation of computer accounts to a group (e.g. GROUP-CREATE-COMPOBJ), the member of that group that creates the computer becomes the owner of the computer account and automatically receives the right
to join a computer with that name to the domain. The other members of that group will not be able to join the computer to the domain. In this case only the user that created the computer account will be able to join the computer.
Lets say you have another group called GROUP-JOIN-COMP that is allowed to join (not create computer accounts) to the domain, the user who creates the computer account has the possibility to designate which user or group gets the rights to join the computer to the domain with the option ("The following group or user can join this computer to a domain" and this is by default Domain Admins group) The group mentioned in that option will be able to join the computer to the domain. In my opinion that is a lot of work just to create a computer computer account and join it.

It is however possible to pre-configure the option called "The following group or user can join this computer to a domain and this is by default Domain Admins group"

Add to the DELEGWIZ.INF file (%WINDIR%\INF) a NEW template you can use to delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation of computer accounts) The minimum rights are mentioned below!

REPLACE THE X with an UNUSED NUMBER!

;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Join a computer to the domain in an OU (computer account pre-created)"

ObjectTypes = computer

[templateX.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
;----------------------------------------------------------

This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2.

It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account!

;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Add and/or join a computer to the domain in an OU (computer)"

ObjectTypes = SCOPE, computer

[template6.SCOPE]
;Right to create computer objects
computer=CC

[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
;----------------------------------------------------------

################################
2. MOVE COMPUTERS BETWEEN OU'S
---------------------------------
In order to move an object in DS, you need the following three permissions:

1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and CN (or whatever happens to be the rdn attribute for this class, i.e. ou for org units).
3) CREATE_CHILD on the destination container.

This is not available through the delegation of control wizard, thus you need to customize in the delegation of control wizard by selecting the correct properties.
################################
3. RESET USER PASSWORDS
---------------------------------
To reset user passwords you need the “Reset Password” extended right on the user object. This is also available through the delegation of control wizard using the common delegated task “Reset a user account’s password”

If you want to reset user passwords and force password change at next logon you need the “Reset Password” extended right on the user object and you need Read/Write permissions on the attribute “pwdLastSet”. This is also available through the delegation of control wizard using the common delegated task “Reset user passwords and force password change at next logon”
################################
4. CREATE EXCHANGE MAILBOXES
---------------------------------
If you create a user and assign a mailbox you need:
Create User objects, write permissions for the attribute “userAccountControl” of the user object and the extended right “Reset Password” on the user object.
This is also available through the delegation of control wizard using the common delegated task “Create a user account”

To additionally assign a mailbox to the user you need Exchange View Only Administrator permissions in Exchange (on ORG level or administrative Group Level, depending on the scope wanted/needed)
To assign a mailbox to a user account you don’t have permissions for you need the permissions mentioned in http://support.microsoft.com/Default.aspx?id=316792
################################
5. ADD AND REMOVE GROUPS TO USERS
---------------------------------
The permissions to change group membership is controlled through the group and not through the user. For this you need RP/WP on the attribute “member” of the group you want to add another security principal to (user, group or computer).
This is also available through the delegation of control wizard using the common delegated task “Modify the membership of a "group”

################################
6. Unlock user accounts
---------------------------------
To unlock accounts you need the read/write permission on the "lockoutTime" attribute on the user object. Unfortunately this is not available through the delegation of control wizard using the common delegated task like “Unlock a user account”

However still using the delegation of control wizard you can create a custom task that applies to user objects and is property specific. In the list shown select "read lockoutTime" and "write lockoutTime".

Comments

Popular posts from this blog

ما هى ال FSMO Roles

  بأختصار ال FSMO Roles هى اختصار ل Flexible Single Operation Master و هى عباره عن 5 Roles فى ال Active Directory و هما بينقسموا لقسمين A - Forest Roles 1- Schema Master Role و هى ال Role اللى بتتحكم فى ال schema و بيكون فى Schema Master Role واحد فى ال Forest بيكون موجود على Domain Controller و بيتم التحكم فيها من خلال ال Active Directory Schema Snap in in MMC بس بعد ما يتعمل Schema Register بواسطه الامر التالى من ال Cmd regsvr32 schmmgmt.dll 2-Domin Naming Master و هى ال Role المسئوله عن تسميه ال Domains و بتتأكد ان مفيش 2 Domain ليهم نفس الاسم فى ال Forest و بيتم التحكم فيها من خلال ال Active Directory Domains & Trusts B- Domain Roles 1-PDC Emulator و هى ال Role اللى بتتحكم فى ال Password change فى ال domain و بتتحكم فى ال time synchronization و هى تعتبر المكان الافتراضى لل GPO's و هى تعتبر Domain Role مش زى الاتنين الاولانيين و بيتم التحكم فيها من خلال ال Active directory Users & Computers عن طريق عمل كليك يمين على اسم الدومين و نختار operations master فى تاب ال PDC Emu

Recreating a missing VMFS datastore partition in VMware vSphere 5.x and 6.x

    Symptoms A datastore has become inaccessible. A VMFS partition table is missing.   Purpose The partition table is required only during a rescan. This means that the datastore may become inaccessible on a host during a rescan if the VMFS partition was deleted after the last rescan. The partition table is physically located on the LUN, so all vSphere hosts that have access to this LUN can see the change has taken place. However, only the hosts that do a rescan will be affected.   This article provides information on: Determining whether this is the same problem Resolving the problem   Cause This issue occurs because the VMFS partition can be deleted by deleting the datastore from the vSphere Client. This is prevented by the software, if the datastore is in use. It can also happen if a physical server has access to the LUN on the SAN and does an install, for example.   Resolution To resolve this issue: Run the  partedUtil  command on the host with the issues and verify if your output

Question كيفية عمل share للـ outlook conntact لكل الـ Domain Users

  الحل بسيط جدا عايز الكونتاكت تتحدث دايما بحيث انك لما تضيف يوزر جديد يسمع في الكونتاكت اول حاجه بتدخل علي in office 2003 tools --- email account ---- add address book --- internet directory service (LDAP) type your server name then login info . mark this server require me to logon type any user on active directory and its password then save and close outlook and open it again now you will find all your active directory users in address book