In: Categories » Computers and technology » Microsoft OS family » Delegate Control of an OU to a User
| Rather than use the Delegation of Control Wizard, use this script to delegate authority over an organizational unit (OU) to a particular user. By delegating administrative responsibilities, you can eliminate the need for multiple administrative accounts that have broad authority (such as over an entire domain). Although you likely will still use the predefined Domain Admins group for administration of the entire domain, you can limit the accounts that are members of the Domain Admins group to highly trusted administrative users. Administrative control can be granted to a user or group by using the Delegation of Control wizard. The Delegation of Control wizard allows you to select the user or group to which you want to delegate control, the organizational units and objects you want to grant those users the right to control, and the permissions to access and modify objects. The CodeWhile using the wizard to do this is straightforward, there is a quick and easy way to achieve the same effect through VBScript. Just open a text editor such as Notepad (making sure that Word Wrap is disabled), type the following script, and save it with a .vbs extension as DelegateOU.vbs: Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network,DC=MY,DC=Domain,
DC=com") Set sec = ou.Get("ntSecurityDescriptor")
Set acl = sec.DiscretionaryAcl Set ace = CreateObject("AccessControlEntry")
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ace.AccessMask = ADS_RIGHT_DS_CREATE_CHILD Or ADS_RIGHT_DS_DELETE_CHILD ace.ObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"
'User's GUID (schemaIDGuid) ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT ace.Trustee = "MY\Jsmith" 'User to delegate to acl.AddAce ace sec.DiscretionaryAcl = acl ou.Put "ntSecurityDescriptor", Array(sec) ou.SetInfo Set ace = Nothing Set acl = Nothing Set sec = Nothing When you run this script, the result is to delegate to the user the ability to create and delete users in the MY.DOMAIN.COM/NETWORK/SERVICES/USERS/TEST organizational unit. The first line you need to customize to make this work in your own environment is this one: Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network," & _ DC=MY,DC=Domain,DC=com")
You must insert the distinguished name (DN) of the OU to which you want to delegate this right in the LDAP URL section of the command line. For example, if you want the delegated user to be able to add and delete users in the OU called UR.DOMAINHERE.COM/HR/USERS, the line would need to look like this: Set ou = GetObject("LDAP:// OU=Users,OU=HR,DC=Ur,DC=Domainhere,DC=com")
Here is another line you need to modify for your environment: ace.Trustee = "MY\Jsmith" User to delegate to In the section in double quotes ("MY\Jsmith"), you must insert the username for the user to whom you want to delegate the right to add and delete users. For example, if the user that you want to be able to ADD and DELETE users is called Janedoe, the line would look like this: ace.Trustee = "UR\Janedoe" 'Who is the beneficiary of this ace Make sure you have the latest scripting engines on the workstation you run this script from; you can download current scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). When working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools. Running the HackTo run the script, simply create a shortcut to the script and double-click on the shortcut. The script itself does the rest.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
IBM and several other PC manufacturers all sold customized versions of Microsoft's MS-DOS, and that there was a competitor called DR-DOS. Gary Kildall, whom we left several pages ago spurning IBM's offer to create the operating system for the PC, went on to finish his 16-bit operating system, called CP/M-86. Kildall sued IBM and Microsoft for copying CP/M, and eventually reached a settlement whereby IBM agreed to offer CP/M-86 in addition to PC-DOS. And IBM did offer CP/M-86, for $240 a copy, versus $40 for PC-DOS. It d...
2. The Evolution of Microsoft Windows ~ Windows XP 64 bit Editions
The CPU story is not over, however. The need for processors capable of handling far more than 4GB of memory has led to development of two competing 64-bit architectures. Intel developed and promoted a 64-bit architecture called IA-64 or Itanium, intended primarily for database and network server computers. Advanced Micro Devices also produced a 64-bit architecture, called x64 or AMD-64. Intel is now manufacturing chips that use the x64 instruction set. x64 processors typically yield better performance than Itanium running 32-bi...
3. Managing Startup Programs under Windows XP
Besides ensuring that your computer has adequate memory, one of the next best ways to improve your subjective experience of Windows' speed is to make the logon process faster. The logon process can be greatly slowed by large numbers of programs that are launched automatically upon logon; the desktop and Start menu don't respond until all of the login programs have been activated. Keeping the list of startup programs short is a constant struggle, however. To hide the fact that many common programs are poorly written and ...
4. How to Configure Automatic Updates in Windows XP
Automatic Updates is a mechanism with an awkwardly plural-sounding name by which Microsoft or corporate network managers distribute critical security updates to Windows users. Fixes sent by this means are considered so important for adequate security in the hostile Internet environment that Microsoft prefers that you configure it to download and install the updates, and if necessary even restart your computer without your being aware of it. There are four levels of Automatic Updates protection to which you can subscribe:...
5. MS DOS Versus PC DOS
With modern PCs having a very high level of standardization and compatibility, today it is easy to see how Microsoft can market complete packaged operating systems that will install and work unmodified on practically any PC you can purchase or build. Without the standardization and compatibility we have come to depend on, different specific "flavors" of a given operating system would be required for specific different hardware. That is exactly how things were back in the early '80s when the IBM PC was introduced. Many o...
6. How to make your PC Available for Remote Desktop Connection
To use Remote Desktop to reach your computer from the Internet, both the computer and your Internet connection must always be up and running. In addition, you must be able to make connections from the outside world to your computer, so there are additional requirements: If you use dial-up Internet service, you'll need someone at home to establish the connection before you can connect to your computer. If you use cable or DSL Internet service, you must either have a static IP address ass...
7. How to Update DirectX ~ Advantages
Although most Windows applications place fairly low demands on the display system, putting up fairly static displays and updating them relatively infrequently, interactive games and video displays are very graphics intensive. Game players pay big bucks for fps, or frames per second, which is a measure of how fast the hardware and software can generate new images as the scene changes and objects move. Under about 30fps, the image flickers and motion is noticeably jerky. Beyond 30fps, faster updates aren't noticeable, and the e...