إضغط لتفاصيل الإعلانات



Results 1 to 3 of 3
Share
  1. #1
    Join Date
    Nov 2007
    Location
    Arab world!
    Posts
    6,169
    Blog Entries
    4
    Rep Power
    10

    Thumbs up Creating a taskpad and delegating several admin tasks like join domain permission

    Creating a taskpad and delegating several admin tasks
    JOIN COMPUTERS TO THE DOMAIN - MOVE COMPUTERS BETWEEN OU'S - RESET USER PASSWORDS - CREATE EXCHANGE MAILBOXES - ADD AND REMOVE GROUPS TO USERS - Unlock user accounts

    For information on how to create and use Taskpad Views see:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/3d0c783c-7789-4400-953b-d22a501ae535.mspx
    http://www.winsupersite.com/showcase/win2k_taskpad.asp
    http://www.petri.co.il/create_taskpads_for_ad_operations.htm

    If for some reason you want to delegate the use of some attribute and that attribute is not listed in the in the property/attribute specific list, then that attribute is hidden from being viewed. To be able to use that attribute in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in %WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you are making changes under the correct [OBJECT]) and change the value 7 to a value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and Computers. Before doing this make copy of the original DSSEC.DAT (e.g. DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT (e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file you have lost your changes)
    Sakari Kouti (http://www.kouti.com/) also has some info about the use of the DSSEC.DAT file. Go to http://www.kouti.com/scripts.htm and search for "Modified DSSec.Dat" (without the quotes!)

    The following are some example tasks and information about them. For more and additional information on delegating tasks see:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
    AND
    http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

    ################################
    1. JOIN COMPUTERS TO THE DOMAIN
    ---------------------------------
    Well, this is possible through the Delegation of Control Wizard. Read the following first which gives some recommendations.

    The User Right "Add workstation to the domain" by default (configured in the Default Domain Controllers GPO) grants EVERY AUTHENTICATED USER (even non-admin users) in the domain to add/join workstations to the domain. It is best to remove "authenticated users" from that user right or set the quota to 0 (which is specified in the "ms-DS-MachineAccountQuota" attribute on the domain NC head)(see: http://support.microsoft.com/?id=251335).

    For true delegation it is better to delegate the right to create computer accounts and to join computers as mentioned below.

    Using the delegation of control wizard you can delegate the creation of computer accounts to the domain. This does not mean the same user/group can also JOIN the computer to the domain. In the DELEGWIZ.INF file (%WINDIR%\INF) look at template 6.....
    By default the "AppliesToClasses" is set to "domainDNS" (case sensitive and without quotes) With this you can only delegate computer account creation at domain level. Change that to "domainDNS,organizationalUnit,container" (case sensitive and without quotes) and yuo will be able to delegate at OU level.

    If you delegate the creation of computer accounts to a group (e.g. GROUP-CREATE-COMPOBJ), the member of that group that creates the computer becomes the owner of the computer account and automatically receives the right
    to join a computer with that name to the domain. The other members of that group will not be able to join the computer to the domain. In this case only the user that created the computer account will be able to join the computer.
    Lets say you have another group called GROUP-JOIN-COMP that is allowed to join (not create computer accounts) to the domain, the user who creates the computer account has the possibility to designate which user or group gets the rights to join the computer to the domain with the option ("The following group or user can join this computer to a domain" and this is by default Domain Admins group) The group mentioned in that option will be able to join the computer to the domain. In my opinion that is a lot of work just to create a computer computer account and join it.

    It is however possible to pre-configure the option called "The following group or user can join this computer to a domain and this is by default Domain Admins group"

    Add to the DELEGWIZ.INF file (%WINDIR%\INF) a NEW template you can use to delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation of computer accounts) The minimum rights are mentioned below!

    REPLACE THE X with an UNUSED NUMBER!

    ;----------------------------------------------------------
    [templateX]
    AppliesToClasses = domainDNS,organizationalUnit,container

    Description = "Join a computer to the domain in an OU (computer account pre-created)"

    ObjectTypes = computer

    [templateX.computer]
    ;Right to join computers to domain
    CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
    ;----------------------------------------------------------

    This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2.

    It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account!

    ;----------------------------------------------------------
    [template6]
    AppliesToClasses = domainDNS,organizationalUnit,container

    Description = "Add and/or join a computer to the domain in an OU (computer)"

    ObjectTypes = SCOPE, computer

    [template6.SCOPE]
    ;Right to create computer objects
    computer=CC

    [template6.computer]
    ;Right to join computers to domain
    CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
    ;----------------------------------------------------------

    ################################
    2. MOVE COMPUTERS BETWEEN OU'S
    ---------------------------------
    In order to move an object in DS, you need the following three permissions:

    1) DELETE_CHILD on the source container or DELETE on the object being moved
    2) WRITE_PROP on the object being moved for two properties: RDN (name) and CN (or whatever happens to be the rdn attribute for this class, i.e. ou for org units).
    3) CREATE_CHILD on the destination container.

    This is not available through the delegation of control wizard, thus you need to customize in the delegation of control wizard by selecting the correct properties.
    ################################
    3. RESET USER PASSWORDS
    ---------------------------------
    To reset user passwords you need the “Reset Password” extended right on the user object. This is also available through the delegation of control wizard using the common delegated task “Reset a user account’s password”

    If you want to reset user passwords and force password change at next logon you need the “Reset Password” extended right on the user object and you need Read/Write permissions on the attribute “pwdLastSet”. This is also available through the delegation of control wizard using the common delegated task “Reset user passwords and force password change at next logon”
    ################################
    4. CREATE EXCHANGE MAILBOXES
    ---------------------------------
    If you create a user and assign a mailbox you need:
    Create User objects, write permissions for the attribute “userAccountControl” of the user object and the extended right “Reset Password” on the user object.
    This is also available through the delegation of control wizard using the common delegated task “Create a user account”

    To additionally assign a mailbox to the user you need Exchange View Only Administrator permissions in Exchange (on ORG level or administrative Group Level, depending on the scope wanted/needed)
    To assign a mailbox to a user account you don’t have permissions for you need the permissions mentioned in http://support.microsoft.com/Default.aspx?id=316792
    ################################
    5. ADD AND REMOVE GROUPS TO USERS
    ---------------------------------
    The permissions to change group membership is controlled through the group and not through the user. For this you need RP/WP on the attribute “member” of the group you want to add another security principal to (user, group or computer).
    This is also available through the delegation of control wizard using the common delegated task “Modify the membership of a "group”

    ################################
    6. Unlock user accounts
    ---------------------------------
    To unlock accounts you need the read/write permission on the "lockoutTime" attribute on the user object. Unfortunately this is not available through the delegation of control wizard using the common delegated task like “Unlock a user account”

    However still using the delegation of control wizard you can create a custom task that applies to user objects and is property specific. In the list shown select "read lockoutTime" and "write lockoutTime".
    Last edited by Mohamed Fouad; 02-01-2011 at 03:35 PM.


  2. Facebook Comments - تعليقـك على الفيس بوك يسعدنا ويطور مجهوداتنـا


  3. Forum Ads:

  4. Forum Ads:

    اضفط هنا لمعرفة تفاصيل الإعلانات بالموقع


  5. Forum Ads:

    -->

  6. #2
    Join Date
    Aug 2008
    Location
    Egypt
    Posts
    30
    Rep Power
    0

    Default

    is that only the system admin tasks ????????????
    Best Regards,
    Sayed Qurany ALi
    Senior System administator
    Egyptian Group Co. S.A.E
    P.O Box Sheraton Heliopolis, Cairo 11799 Egypt
    Tel. (+202) 2687712- 13 ext 666
    Rais Your Self To Help Man Kind
    Fax (+202) 2687714

    من مواضيع sydqa_chm :


  7. #3
    Join Date
    Nov 2007
    Location
    Arab world!
    Posts
    6,169
    Blog Entries
    4
    Rep Power
    10

  8. Forum Ads:

Similar Threads

  1. Replies: 0
    Last Post: 24-06-2011, 03:33 PM
  2. Replies: 1
    Last Post: 07-12-2010, 12:45 AM
  3. Replies: 2
    Last Post: 06-04-2009, 01:33 PM
  4. Domain.Local VS. Domain.com question
    By Mohamed Fouad in forum Microsoft
    Replies: 8
    Last Post: 08-02-2009, 01:02 PM
  5. Creating Strong Passwords
    By ah_khairy in forum Microsoft
    Replies: 0
    Last Post: 13-02-2008, 05:01 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

أقسام المنتدى

الروابط النصية

تابع جروبنا على الفيس بوك

صفحة Egypt Engineers على الفيس بوك

تابعنا على linkedin

جروبنا على الياهو جروب