Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2006-01-05) Creating A Taskpad And Delegating Several Admin Tasks

Posted by Jorge on 2006-01-05


For information on how to create and use Taskpad Views see:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/3d0c783c-7789-4400-953b-d22a501ae535.mspx

http://www.winsupersite.com/showcase/win2k_taskpad.asp

http://www.petri.co.il/create_taskpads_for_ad_operations.htm

If for some reason you want to delegate the use of some attribute and that attribute is not listed in the in the property/attribute specific list, then that attribute is hidden from being viewed. To be able to use that attribute in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in %WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you are making changes under the correct [OBJECT]) and change the value 7 to a value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and Computers. Before doing this make copy of the original DSSEC.DAT (e.g. DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT (e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file you have lost your changes)

Sakari Kouti (http://www.kouti.com/) also has some info about the use of the DSSEC.DAT file. Go to http://www.kouti.com/scripts.htm and search for "Modified DSSec.Dat" (without the quotes!)

The following are some example tasks and information about them. For more and additional information on delegating tasks see:

http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

AND
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

################################
1. JOIN COMPUTERS TO THE DOMAIN
———————————
Well, this is possible through the Delegation of Control Wizard. Read the following first which gives some recommendations.

The User Right "Add workstation to the domain" by default (configured in the Default Domain Controllers GPO) grants EVERY AUTHENTICATED USER (even non-admin users) in the domain to add/join workstations to the domain. It is best to remove "authenticated users" from that user right or set the quota to 0 (which is specified in the "ms-DS-MachineAccountQuota" attribute on the domain NC head)(see: http://support.microsoft.com/?id=251335).
 
For true delegation it is better to delegate the right to create computer accounts and to join computers as mentioned below.

Using the delegation of control wizard you can delegate the creation of computer accounts to the domain. This does not mean the same user/group can also JOIN the computer to the domain. In the DELEGWIZ.INF file (%WINDIR%\INF) look at template 6…..
By default the "AppliesToClasses" is set to "domainDNS" (case sensitive and without quotes) With this you can only delegate computer account creation at domain level. Change that to "domainDNS,organizationalUnit,container" (case sensitive and without quotes) and yuo will be able to delegate at OU level.
 
If you delegate the creation of computer accounts to a group (e.g. GROUP-CREATE-COMPOBJ), the member of that group that creates the computer becomes the owner of the computer account and automatically receives the right
to join a computer with that name to the domain. The other members of that group will not be able to join the computer to the domain. In this case only the user that created the computer account will be able to join the computer.
Lets say you have another group called GROUP-JOIN-COMP that is allowed to join (not create computer accounts) to the domain, the user who creates the computer account has the possibility to designate which user or group gets the rights to join the computer to the domain with the option ("The following group or user can join this computer to a domain" and this is by default Domain Admins group) The group mentioned in that option will be able to join the computer to the domain. In my opinion that is a lot of work just to create a computer computer account and join it.
 
It is however possible to pre-configure the option called "The following group or user can join this computer to a domain and this is by default Domain Admins group"
 
Add to the DELEGWIZ.INF file (%WINDIR%\INF) a NEW template you can use to delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation of computer accounts) The minimum rights are mentioned below!
 
REPLACE THE X with an UNUSED NUMBER!
 
;———————————————————-
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container
 
Description = "Join a computer to the domain in an OU (computer account pre-created)"
 
ObjectTypes = computer
 
[templateX.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
;———————————————————-
 
This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2.
 
It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account!
 
;———————————————————-
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container
 
Description = "Add and/or join a computer to the domain in an OU (computer)"
 
ObjectTypes = SCOPE, computer
 
[template6.SCOPE]
;Right to create computer objects
computer=CC
 
[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
;———————————————————-

################################
2. MOVE COMPUTERS BETWEEN OU’S
———————————
In order to move an object in DS, you need the following three permissions:

1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and CN (or whatever happens to be the rdn attribute for this class, i.e. ou for org units).
3) CREATE_CHILD on the destination container.

This is not available through the delegation of control wizard, thus you need to customize in the delegation of control wizard by selecting the correct properties.

################################
3. RESET USER PASSWORDS
———————————
To reset user passwords you need the "Reset Password" extended right on the user object. This is also available through the delegation of control wizard using the common delegated task "Reset a user account’s password"

If you want to reset user passwords and force password change at next logon you need the "Reset Password" extended right on the user object and you need Read/Write permissions on the attribute "pwdLastSet". This is also available through the delegation of control wizard using the common delegated task "Reset user passwords and force password change at next logon"

################################
4. CREATE EXCHANGE MAILBOXES
———————————
If you create a user and assign a mailbox you need:
Create User objects, write permissions for the attribute "userAccountControl" of the user object and the extended right "Reset Password" on the user object.
This is also available through the delegation of control wizard using the common delegated task "Create a user account"

To additionally assign a mailbox to the user you need Exchange View Only Administrator permissions in Exchange (on ORG level or administrative Group Level, depending on the scope wanted/needed)

To assign a mailbox to a user account you don’t have permissions for you need the permissions mentioned in http://support.microsoft.com/Default.aspx?id=316792

################################
5. ADD AND REMOVE GROUPS TO USERS
———————————
The permissions to change group membership is controlled through the group and not through the user. For this you need RP/WP on the attribute "member" of the group you want to add another security principal to (user, group or computer).
This is also available through the delegation of control wizard using the common delegated task "Modify the membership of a "group"

################################
6. UNLOCK USER ACCOUNTS
———————————
To unlock accounts you need the read/write permission on the "lockoutTime" attribute on the user object. Unfortunately this is not available through the delegation of control wizard using the common delegated task like "Unlock a user account"

However still using the delegation of control wizard you can create a custom task that applies to user objects and is property specific. In the list shown select "read lockoutTime" and "write lockoutTime".

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2006-01-05) Creating A Taskpad And Delegating Several Admin Tasks”

  1. […] https://jorgequestforknowledge.wordpress.com/2006/01/05/creating-a-taskpad-and-delegating-several-adm… […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: