Adding Users to ADSI ? - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Adding Users to ADSI ?

Page 1 of 2

1

Topic Options

#128018 - 2004-10-17 02:56 PM Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	Hi, I am making 2 kinds of scripts and each of them are running nicely, I only have 2 problems with each. The first script is a script (using kixforms) that reset's user passwords, It works like a charm, only problem is the user that actually uses the script has to have administrator privilidges. Off course I don't want to give that user administrator privilidges so I am looking for a way (without runas/sanur or external progs) to only give the script administrator priviliges. The second script is a script that adds new users to the Active Directory, works fine as well (also admin probs like b4) but for the profile path, it actually has to make the Folder where the profile path will be stored, now this on itself isn't a problem but setting the rights (ACL's) to that folder is, it has to give the Domain Admins full access, and the user who's profile is stored in there full access. I tried external progs for it as well, such as CACLS and XCACLS, but I was wondering if I could do that using Kix only. In any case I wanna take this opportunity to thank everyone on this message board for helping users as much as you do, over the last few weeks I've learned alot from you without having to ask anything. Thanks _________________________ can not join #Real_Life (invite only)
Top

#128019 - 2004-10-17 03:50 PM Re: Adding Users to ADSI ?
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	You should never elevate the users permission to Administrator, that is what delegation is for. In AD, delegate only those roles that are needed. You could try using purely a COM solution but if you had a look at how Microsoft does it in VBS you would probably think twice. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#128020 - 2004-10-17 03:54 PM Re: Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	I don't elevate them, before I wrote the script in VBS, making a C++ executable run the runas/sanur/vbs commandline, I am looking for a way to get it all in kix, preferably in the script as admin. What do you mean by "delegate" tho (my english ain't that good) _________________________ can not join #Real_Life (invite only)
Top

#128021 - 2004-10-17 03:59 PM Re: Adding Users to ADSI ?
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	RunAs is elevating! tsk, tsk Delegation is covered in MCSE school. If you don't know how to administer security properly in AD using delegation, you need to go back to MCSE school. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#128022 - 2004-10-17 04:27 PM Re: Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	What I ment to say is that I don't elevate the User Accounts. Also I asked what "delegation" ment, in other words I couln't translate it to my own language (hence why i said my english aint that good) _________________________ can not join #Real_Life (invite only)
Top

#128023 - 2004-10-17 04:53 PM Re: Adding Users to ADSI ?
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	You said: Quote: I am looking for a way (without runas/sanur or external progs) to only give the script administrator priviliges. If you were to give the script admin priv, that is elevating the user who runs the script. Since I only know MCSE terminology in English, I know of no other way to explain delegation. In ADUC, there is a Delegation Wizard but I prefer to use the security tab instead to give (delegate) only the required permission to the user. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#128024 - 2004-10-17 05:25 PM Re: Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	OK, I understand that, then yes I want to elevate the script. Since I can't give those users (mainly staff) any more rights then they already have, which means I have to limit the access to AD to the script only. Furthermore do you also have an answer for the path/dir creation ACL's ? _________________________ can not join #Real_Life (invite only)
Top

#128025 - 2004-10-17 05:49 PM Re: Adding Users to ADSI ?
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	I will not help to implement something that, if I were CSO for your company, I would have to fire you for. I am sure there are others on this board that would help. I hope you understand and don't take it as a personal affront. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#128026 - 2004-10-17 06:06 PM Re: Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	I understand that, and can apreciate that. My boss is fully aware of this and even asked to do it like that with the VBS example, but in you position I wouln't take my word for that either. Anyway could u please look into my folder ACL problem ? _________________________ can not join #Real_Life (invite only)
Top

#128027 - 2004-10-17 07:52 PM Re: Adding Users to ADSI ?
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Many before you have tried using just KiX and COM but I don't recall any success stories. Take a look at this topic: Using WMI to set ownership I never said I had the answer or if it was even possible, only that you could try doing it with COM. I am not sure if anyone fully explored the ADsSecurity.dll method. Maybe Howard can jump in here and clarify how far he may have gotten with his HABObjects.dll. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#128028 - 2004-10-17 08:36 PM Re: Adding Users to ADSI ?
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11629 Loc: CA	Item 1: Create a group that will contain the user accounts that you wish to be able to reset passwords (note though that if your account is already locked you won't be able to get in to reset it so not sure what value this approach will do for you). Then as Les has stated you would DELEGATE (basically assigns or allows an account or group to specifically carry out a task) the authority to reset passwords (I think though [have not looked it up] that this would then allow members of this group to reset anyones password [except an account of higher authority] on the system) so you would also want to be careful about this. I guess bottom-line THIS IS NOT A GOOD OR RECOMMENDED thing to do. As for item 2 It can not be done with KiXtart alone, but via KiXtart ie. using other COM or Compiled programs you could get close, but again [have not tried] I don't think a normal account can assign rights of a higher group/account [this is just common sense for secuirty purposes]. Also, the main folder would have to allow users to perform the rights assignment from a parent folder, which would then mean that anyone with those rights could then come along and either on purpose or on accident delete or re-assign rights. Which is/would be another NO NO in terms of security. Again, which Les has also attempted to alert you to, neither of the items you wish to do should be done in a place of business. The tasks you are attempting to do can/would allow potential security issues from either internal or external sources. Some say up to 85% of hacking or damage is done by employees of the Company. If that is true, you would be making things easier for both types of intruder access. For both items, if you don't have a Helpdesk to perform these tasks and you don't have time yourself then perhaps delegate these rights to maybe a group of 20 or so high profile/more advanced and trusted users to help out.
Top

#128029 - 2004-10-17 10:44 PM Re: Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	well, I'll take Delegation as an answer for item one, I should be able to set permissions ok on 2k3 AD, jes will take some figuring out. As for item 2, technically if you would enter the file path in the AD's user profile it should set permissions to it accordingly, however it doesnt, XCACLS and CACLS only sets 1 user as full access it doesn't have a feature to "ADD" a user IE admin and the user. At any rate I would like to thank you both for helping me on this subject, to clarify it a bit more, we are a very small company that make networks for schools, the reset password proggy I am making (with kixforms) should enable headmasters to reset (dumb) teachers passwords to a standard password and when they login they can change it again cos windows will then prompt for them to change it. The second lets the headmaster add a new teacher to the AD. Anyway thx again for helping me on my way here _________________________ can not join #Real_Life (invite only)
Top

#128030 - 2004-10-17 11:07 PM Re: Adding Users to ADSI ?
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11629 Loc: CA	Quote: As for item 2, technically if you would enter the file path in the AD's user profile it should set permissions to it accordingly I'm sorry, but no it does not work that way. It only sets the users account to that folder as a home folder which you can then also set a drive letter to map to if wanted. Okay, as I read your recent reply it is not what you orignally said or asked. As you replied just now it is very doable. If you only want a couple people to do as you ask then we can help you accomplish that task. Let's just make sure we're on the same page with what it is we are really doing or wanting here.
Top

#128031 - 2004-10-18 10:38 AM Re: Adding Users to ADSI ?
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	with rmtshare you can control the share and it's ACL's fully. but, I don't like the idea of admin having rights specified in share ACL's. admins have the rights already on the server and there is no reason for admins to access users homedrive via his/her share. not reading all what you have talked with boys here but did read your question and yes, you don't need elevation (runas or any such thingie) to accomplish any of these tasks. _________________________ ! download KiXnet
Top

#128032 - 2004-10-18 02:45 PM Re: Adding Users to ADSI ?
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Well... for task #2, without admin rights, it would be hard to create a share and set ACLs. He also wants a 100% KiX solution without external utilities. If you were to elevate to admin, and you use external ultils, someone might be able to replace the utility with something they could use to give themselves more rights. The way to do this (the rmtshare) is to have a central admin script that has the rights, and the limited user can only pass parms to it. I would not like to see that sort of thing done for password resets though because that could be easily abused and the audit trail lost. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#128033 - 2004-10-18 03:02 PM Re: Adding Users to ADSI ?
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	me not really sure where you would need admin rights with rmtshare. and you can place rmtshare in such place that only the assigned users have access and also they have only read/execute rights. _________________________ ! download KiXnet
Top

#128034 - 2004-10-18 08:49 PM Re: Adding Users to ADSI ?
Anonymous Anonymous Unregistered	Quote: Okay, as I read your recent reply it is not what you orignally said or asked. As you replied just now it is very doable. If you only want a couple people to do as you ask then we can help you accomplish that task. Let's just make sure we're on the same page with what it is we are really doing or wanting here. Only thing I want the script to do is make users in AD, their homepath should have set those users as owner (ie \\server\personal$\username the username folder should have ACL's set to the user as owner with full rights, and admin with full rights, also I made sure the script cannot do anything else but make users in seletive groups, they can't add an admin for instance. But I need the script to have admin privilidges to set those ACL's and to actually be able to have rights to add users to AD. If you want I can paste the code here.
Top

#128035 - 2004-10-18 08:50 PM Re: Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	Sorry forgot to login, anonymous is me. _________________________ can not join #Real_Life (invite only)
Top

#128036 - 2004-10-21 02:30 PM Re: Adding Users to ADSI ?
Chance Chance Fresh Scripter Registered: 2004-10-17 Posts: 12 Loc: Almere, The Netherlands	Quote: Quote: As for item 2, technically if you would enter the file path in the AD's user profile it should set permissions to it accordingly I'm sorry, but no it does not work that way. It only sets the users account to that folder as a home folder which you can then also set a drive letter to map to if wanted. Actually it does if you set the profilepath to: \\Server\profiles$\%username%\My Profile\ when that user logs in, AD will create the folder and set rights accordingly, only admin's can't access them but thats good enough for me. I am almost finished with my tools, I set the ppl who can create account to have rights in the "accountoperators" group. Only problem I have now is I need to figure out how I get a user's full LDAP path (the original one) for instance if a user is made in: LDAP://CN=administration,OU=Administration,OU=Users,DC=microsoft,DC=com and lateron is added to for instance Staff, how would I get a users original LDAP path ? _________________________ can not join #Real_Life (invite only)
Top

#128037 - 2004-10-21 02:35 PM Re: Adding Users to ADSI ?
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Have a look at the TranslateName() UDF. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

1 registered (Allen) and 905 anonymous users online.

Newest Members

batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users

Generated in 0.077 seconds in which 0.03 seconds were spent on a total of 13 queries. Zlib compression enabled.

click tracking