Skip to main content

Creating a taskpad and delegating several admin tasks like join domain permission

 Creating a taskpad and delegating several admin tasks

JOIN COMPUTERS TO THE DOMAIN - MOVE COMPUTERS BETWEEN OU'S - RESET USER PASSWORDS - CREATE EXCHANGE MAILBOXES - ADD AND REMOVE GROUPS TO USERS - Unlock user accounts

For information on how to create and use Taskpad Views see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/3d0c783c-7789-4400-953b-d22a501ae535.mspx
http://www.winsupersite.com/showcase/win2k_taskpad.asp
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

If for some reason you want to delegate the use of some attribute and that attribute is not listed in the in the property/attribute specific list, then that attribute is hidden from being viewed. To be able to use that attribute in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in %WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you are making changes under the correct [OBJECT]) and change the value 7 to a value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and Computers. Before doing this make copy of the original DSSEC.DAT (e.g. DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT (e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file you have lost your changes)
Sakari Kouti (http://www.kouti.com/) also has some info about the use of the DSSEC.DAT file. Go to http://www.kouti.com/scripts.htm and search for "Modified DSSec.Dat" (without the quotes!)

The following are some example tasks and information about them. For more and additional information on delegating tasks see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
AND
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

################################
1. JOIN COMPUTERS TO THE DOMAIN
---------------------------------
Well, this is possible through the Delegation of Control Wizard. Read the following first which gives some recommendations.

The User Right "Add workstation to the domain" by default (configured in the Default Domain Controllers GPO) grants EVERY AUTHENTICATED USER (even non-admin users) in the domain to add/join workstations to the domain. It is best to remove "authenticated users" from that user right or set the quota to 0 (which is specified in the "ms-DS-MachineAccountQuota" attribute on the domain NC head)(see: http://support.microsoft.com/?id=251335).

For true delegation it is better to delegate the right to create computer accounts and to join computers as mentioned below.

Using the delegation of control wizard you can delegate the creation of computer accounts to the domain. This does not mean the same user/group can also JOIN the computer to the domain. In the DELEGWIZ.INF file (%WINDIR%\INF) look at template 6.....
By default the "AppliesToClasses" is set to "domainDNS" (case sensitive and without quotes) With this you can only delegate computer account creation at domain level. Change that to "domainDNS,organizationalUnit,container" (case sensitive and without quotes) and yuo will be able to delegate at OU level.

If you delegate the creation of computer accounts to a group (e.g. GROUP-CREATE-COMPOBJ), the member of that group that creates the computer becomes the owner of the computer account and automatically receives the right
to join a computer with that name to the domain. The other members of that group will not be able to join the computer to the domain. In this case only the user that created the computer account will be able to join the computer.
Lets say you have another group called GROUP-JOIN-COMP that is allowed to join (not create computer accounts) to the domain, the user who creates the computer account has the possibility to designate which user or group gets the rights to join the computer to the domain with the option ("The following group or user can join this computer to a domain" and this is by default Domain Admins group) The group mentioned in that option will be able to join the computer to the domain. In my opinion that is a lot of work just to create a computer computer account and join it.

It is however possible to pre-configure the option called "The following group or user can join this computer to a domain and this is by default Domain Admins group"

Add to the DELEGWIZ.INF file (%WINDIR%\INF) a NEW template you can use to delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation of computer accounts) The minimum rights are mentioned below!

REPLACE THE X with an UNUSED NUMBER!

;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Join a computer to the domain in an OU (computer account pre-created)"

ObjectTypes = computer

[templateX.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
;----------------------------------------------------------

This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2.

It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account!

;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Add and/or join a computer to the domain in an OU (computer)"

ObjectTypes = SCOPE, computer

[template6.SCOPE]
;Right to create computer objects
computer=CC

[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
;----------------------------------------------------------

################################
2. MOVE COMPUTERS BETWEEN OU'S
---------------------------------
In order to move an object in DS, you need the following three permissions:

1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and CN (or whatever happens to be the rdn attribute for this class, i.e. ou for org units).
3) CREATE_CHILD on the destination container.

This is not available through the delegation of control wizard, thus you need to customize in the delegation of control wizard by selecting the correct properties.
################################
3. RESET USER PASSWORDS
---------------------------------
To reset user passwords you need the “Reset Password” extended right on the user object. This is also available through the delegation of control wizard using the common delegated task “Reset a user account’s password”

If you want to reset user passwords and force password change at next logon you need the “Reset Password” extended right on the user object and you need Read/Write permissions on the attribute “pwdLastSet”. This is also available through the delegation of control wizard using the common delegated task “Reset user passwords and force password change at next logon”
################################
4. CREATE EXCHANGE MAILBOXES
---------------------------------
If you create a user and assign a mailbox you need:
Create User objects, write permissions for the attribute “userAccountControl” of the user object and the extended right “Reset Password” on the user object.
This is also available through the delegation of control wizard using the common delegated task “Create a user account”

To additionally assign a mailbox to the user you need Exchange View Only Administrator permissions in Exchange (on ORG level or administrative Group Level, depending on the scope wanted/needed)
To assign a mailbox to a user account you don’t have permissions for you need the permissions mentioned in http://support.microsoft.com/Default.aspx?id=316792
################################
5. ADD AND REMOVE GROUPS TO USERS
---------------------------------
The permissions to change group membership is controlled through the group and not through the user. For this you need RP/WP on the attribute “member” of the group you want to add another security principal to (user, group or computer).
This is also available through the delegation of control wizard using the common delegated task “Modify the membership of a "group”

################################
6. Unlock user accounts
---------------------------------
To unlock accounts you need the read/write permission on the "lockoutTime" attribute on the user object. Unfortunately this is not available through the delegation of control wizard using the common delegated task like “Unlock a user account”

However still using the delegation of control wizard you can create a custom task that applies to user objects and is property specific. In the list shown select "read lockoutTime" and "write lockoutTime".

Comments

Popular posts from this blog

Question كيفية عمل share للـ outlook conntact لكل الـ Domain Users

  الحل بسيط جدا عايز الكونتاكت تتحدث دايما بحيث انك لما تضيف يوزر جديد يسمع في الكونتاكت اول حاجه بتدخل علي in office 2003 tools --- email account ---- add address book --- internet directory service (LDAP) type your server name then login info . mark this server require me to logon type any user on active directory and its password then save and close outlook and open it again now you will find all your active directory users in address book

3 things has to be done for better performance

  Tips from Goutham: 3 things has to be done for better performance: By default, XP displays extra graphic objects for menu items which can slow down your display. 1. To turn off these selectively... Right click My Computer Select Properties Click Advanced tab Under Performance, click Settings button To turn them all off, select Adjust for best performance Preference is to leave them all off except for Show shadows under mouse pointer and Show window contents while dragging 2. To speed up the display of the Start Menu Items, turn off the menu shadow. Right click open area of the Desktop Select Properties Click Appearance tab Click Effects button Uncheck Show shadows under menus 3. You can increase system performance by loading more of the system into memory. DO NOT attempt this with less then 512MBs of ram. Your system will become unstable. Click Start Click Run Enter regedit Click OK Go to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Session Manager Memory Management Double cli

The difference between DNS and NDS

  Novell Directory Services(NDS) - Novell Directory Services (NDS) is a popular software product for managing access to computer resources and keeping track of the users of a  network , such as a company's  intranet , from a single point of administration. Using NDS, a network administrator can set up and control a  database  of users and manage them using a  directory  with an easy-to-use graphical user interface ( GUI ). Users of computers at remote locations can be added, updated, and managed centrally. Applications can be distributed electronically and maintained centrally. NDS can be installed to run under  Windows NT , Sun Microsystem's Solaris, and IBM's  OS/390  as well as under Novell's own  NetWare  so that it can be used to control a multi-platform network. NDS is generally considered an industry  benchmark  against which other products, such as Microsoft's Active Directory, must compete. Lucent Technologies plans to integrate NDS into its own QIP product