[EMAIL PROTECTED] wrote:
> We use a web page for the helpdesk to do everything they need to do.
> You can lock down your security on the webserver and by utilizing the
> Adminmisc module's impersonation call, you can do the work as an admin
> but only allow certain functions to be performed.
It's also possible to keep the helpdesk personnel from having any sort of
access rights to the domain whatsoever, by using an alternative
authentication source (in my case, I use LDAP authentication from the
webserver) for the administrative tools. The webserver could run in a
priviledged context (yes, there is risk here, but you can decide to have a
single webserver instance running in a priviledged context, or have many
priviledged users running about) to actually perform the administrative
changes in the domain(s). This means that you can write your scripts to
perform whatever actions you want.
For instance, I have a page that creates NT machine accounts, but with some
added features: the machine name has to fit RFC952 specs, the owner and
creator names are stored in the "comment" and "usrComment" fields of the
machine account (great for tracking users down when their machine
misbehaves), and I can give people access to the tool based on a webserver
ACL rather than having to give people access rights in the domain.
All user management for my NT domain(s) is done via modification of LDAP
attributes and a Perl program running as a service on the PDC. The
Helpdesk modifies LDAP attributes (again, using a webpage front-end) to
make things happen in the NT domain (create accounts, delete accounts, lock
accounts, unlock accounts, create macfile volumes, etc.). Group management
is done via a webpage as well (with a Perl backend, of course) and not yet
integrated with LDAP. All of this also serves to keep the SAM consistent
and up-to-date -- people aren't putting "Last, First" instead of "First
Last" for fullname, spaces aren't getting into machine accounts, groups
called "Goofy And Pluto" aren't being created, user terminations are
automatically processed, etc.
All of the above means that for a computing populace of ~15,000 people or
so, there are not Account Operators, a small number of Administrators, and
an even smaller number of Domain Admins.
-rsb
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
