Zum Inhalt springen
- Create 2 security groups: AD-12beAdmin-Manager and AD-12beAdmin-User or similar fitting your naming conventions.
- Create a Service/Task User: AD-12beAdmin-svc or similar fitting your naming conventions with a long and complex password, member of AD-12beAdmin-Manager
- Delegate Users and Groups in Active directory:
Case 1: Both tasks run by AD-12beAdmin-svc. Delegate Group/User creation/deletion to AD-12beAdmin-Manager:
dsAcls "$GroupPath" /I:T /G AD-12beAdmin-Manager:CCDC;group
dsAcls "$GroupPath" /I:S /G AD-12beAdmin-Manager:GA
dsAcls "$UserPath" /I:T /G AD-12beAdmin-Manager:CCDC;user
dsAcls "$UserPath" /I:S /G AD-12beAdmin-Manager:GA
Case 2: only disable accounts is performed by AD-12beAdmin-svc delegate disable user account to AD-12beAdmin-Manager
dsAcls "$UserPath" /I:S /G AD-12beAdmin-Manager:RPWP;userAccountControl
- Delegate Using 12beAdmin
Delegate enable user account, reset password and Account expiration to AD-12beAdmin-User
dsAcls "$UserPath" /I:S /G "AD-12beAdmin-User:CA;Reset Password;user"
dsAcls "$UserPath" /I:S /G AD-12beAdmin-User:RPWP;userAccountControl
dsAcls "$UserPath" /I:S /G AD-12beAdmin-User:RPWP;accountExpires
- Add everyone who should be allowed to use 12beAdmin to the AD-12beAdmin-User group. e.g. your helpdesk users.
- Use a PAW / Adminworkstation / Management Server
RSAT – Active Directory Users and Computer is required. On a Server Operating System just select the RSAT tool from Server Manager. On Windows 10/11:
Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
- Integrate Tasks: Grant AD-12beAdmin-svc the SeBatchLogonRight (Log on as a batch job). This can be done by Group Policy, filtered to the machine object or manually via secpol.msc (Local Security Policy) or the old ntrights.exe from NT4 Ressource Kit (if you can find it) after all the years, there is still no Microsoft Powershell cmdlet to handle User Rights Assignment.
- provide every member of the AD-12beAdmin-User group access to
12beAdmin.ps1. This can be an UNC Path.
