RE: [ActiveDir] Delegation of Control Wizard

[joe]

Absolutely, that is definitely one product that will do it and the first one I had in mind when I posted. Keep in mind though that this functionality isn't terribly difficult to put together and do through a website either for those who don't have the bucks to buy a full blown tool. The hardest part is maintaining good security in the app you build.   I did hear an interesting rumour about EDM though that it displayed some info in one of the screens by indexed attributes and if you index objectclass it torks up the display pretty bad. I don't have first hand experience or the bits to test it. If that is so, that kind of sucks.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Wednesday, December 29, 2004 4:46 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Delegation of Control Wizard Aelita (now Quest) has an app (used to be Enterprise Directory Manager) that will allow that level of granuality.  It utilizes a SQL database to store the additional information and acts as a go between for the user and AD.  It provides some really neat functionality besides this feature.     Dave //SIGNED// ------------------------------------------------ David J. Perdue Network Security Engineer, InDyne Inc  Comm: (805) 606-4597    DSN: 276-4597 ------------------------------------------------   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, December 29, 2004 09:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of Control Wizard Enabled/Disabled is maintained in the userAccountControl. Unfortunately that is a flag attribute and controls several things like not requiring passwords, etc. See http://msdn.microsoft.com/library/default.asp?url=""> for a semi-accurate listing. I say semi-accurate because say lockout isn't handled there any more...   Strictly speaking, you can not directly delegate the ability to only disable/enable accounts within AD natively. You would need some system that follows business rules for you and does the work through proxy such as an enterprise manager or web site or something.     joe      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Wednesday, December 29, 2004 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of Control Wizard Thanks for the info.  Would you know what permissions need to be set if we want to give them the right to ONLY enable an account if it's disbled?   Thanks again.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 28, 2004 9:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of Control Wizard   Well it is the same in 2K and K3. You give the following permissions   WRITE lockoutTime CA  Reset Password         You can do that with subinacl or adsiedit or ADUC (using dssec.dat mods).   All permissioning in AD should be to security groups and you add people to security groups. One thing you don't want to do that I have been seeing a lot of lately is 10 different groups with reset password. Secure the resource with a resource specific group and then add people/groups to that resource group.... I.E. If you have some people that can unlock, some can reset, have two groups. One for unlock, one for reset. If people who can unlock can reset, use one group.   You should do these delegations at the OU level, not piecemeal user by user.     joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Tuesday, December 28, 2004 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of Control Wizard We are looking to give our helpdesk only the rights to reset passwords and unlock accounts.  We found that in Win2k that this was difficult to do using the Delegation of Control Wizard, so we did it using a security group.  But now, I've been reading that it should be much easier in Win2k3.  Does anyone know the exact permissions that we would need to give our helpdesk so that the only thing they can do reset passwords and unlock accounts?   Thanks.   Alan Olegario Tiffany & Co. The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly.