Hack 20 Delegate Control of an OU to a User

 < Day Day Up > 

Hack 20 Delegate Control of an OU to a User

figs/expert.gif figs/hack20.gif

Rather than use the Delegation of Control Wizard, use this script to delegate authority over an organizational unit (OU) to a particular user .

By delegating administrative responsibilities, you can eliminate the need for multiple administrative accounts that have broad authority (such as over an entire domain). Although you likely will still use the predefined Domain Admins group for administration of the entire domain, you can limit the accounts that are members of the Domain Admins group to highly trusted administrative users.

Administrative control can be granted to a user or group by using the Delegation of Control wizard. The Delegation of Control wizard allows you to select the user or group to which you want to delegate control, the organizational units and objects you want to grant those users the right to control, and the permissions to access and modify objects.

The Code

While using the wizard to do this is straightforward, there is a quick and easy way to achieve the same effect through VBScript. Just open a text editor such as Notepad (making sure that Word Wrap is disabled), type the following script, and save it with a .vbs extension as DelegateOU.vbs :

 Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network,DC=MY,DC=Domain, DC=com") Set sec = ou.Get("ntSecurityDescriptor") Set acl = sec.DiscretionaryAcl Set ace = CreateObject("AccessControlEntry")  ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT  ace.AccessMask = ADS_RIGHT_DS_CREATE_CHILD Or ADS_RIGHT_DS_DELETE_CHILD  ace.ObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"  'User's GUID (schemaIDGuid) ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE  ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT  ace.Trustee = "MY\Jsmith" 'User to delegate to acl.AddAce ace sec.DiscretionaryAcl = acl ou.Put "ntSecurityDescriptor", Array(sec) ou.SetInfo  Set ace = Nothing Set acl = Nothing Set sec = Nothing 

When you run this script, the result is to delegate to the user the ability to create and delete users in the MY.DOMAIN.COM/NETWORK/SERVICES/USERS/TEST organizational unit.

The first line you need to customize to make this work in your own environment is this one:

 Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network," & _ DC=MY,DC=Domain,DC=com") 

Y ou must insert the distinguished name (DN) of the OU to which you want to delegate this right in the LDAP URL section of the command line. For example, if you want the delegated user to be able to add and delete users in the OU called UR.DOMAINHERE.COM/HR/USERS , the line would need to look like this:

 Set ou = GetObject("LDAP:// OU=Users,OU=HR,DC=Ur,DC=Domainhere,DC=com") 

Here is another line you need to modify for your environment:

 ace.Trustee = "MY\Jsmith" User to delegate to 

In the section in double quotes (" MY\Jsmith "), you must insert the username for the user to whom you want to delegate the right to add and delete users. For example, if the user that you want to be able to ADD and DELETE users is called Janedoe , the line would look like this:

 ace.Trustee = "UR\Janedoe" 'Who is the beneficiary of this ace 

Make sure you have the latest scripting engines on the workstation you run this script from; you can download current scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). When working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools.

Running the Hack

To run the script, simply create a shortcut to the script and double-click on the shortcut. The script itself does the rest.

Hans Schefske

 < Day Day Up > 


Windows Server Hacks
Windows Server Hacks
ISBN: 0596006470
EAN: 2147483647
Year: 2004
Pages: 163
Authors: Mitch Tulloch

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net