Click here to get back home

Allow update of properties without allowing password changes, etc
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Allow update of properties without allowing password changes, etc Dedicated_Dad 02-02-2006
Posted by Dedicated_Dad on February 2, 2006, 10:29 am
Please log in for more thread options
 Hello all!

If this is the wrong group, please tell me and I will happily move my
questino to the right place. I've done a fair amount of research and been
unable to find a solution...

My client would like to give a certain user the ability to update addresses,
phone numbers and the like in a (2k native-mode domain (although hosted on
2k3 servers) / Exchange 2003 Native Mode) single-domain forest.

The challenge here is that he has specified that she should *not* be able to
change passwords, group memberships, etc. -- she should only be able to
update the "extra" properties.

I've suggested implementing something like "imanami" and making the users
themselves responsible for this, but I am not sure if it will fly.

Any / all help would be deeply appreciated...

Alan

Posted by Steven L Umbach on February 2, 2006, 1:01 pm
Please log in for more thread options
 You can do that via delegation in Active Directory though you may need to
choose custom delegation. For instance this could be done on an OU where the
user accounts are located. You can go to the OU and right click and select
delegate to start the Delegation Wizard, add the user/group, select custom
task, only the following objects/users, and then select the permissions. You
may wan to check property specific to see more options. -- Steve


> Hello all!
>
> If this is the wrong group, please tell me and I will happily move my
> questino to the right place. I've done a fair amount of research and been
> unable to find a solution...
>
> My client would like to give a certain user the ability to update
> addresses,
> phone numbers and the like in a (2k native-mode domain (although hosted on
> 2k3 servers) / Exchange 2003 Native Mode) single-domain forest.
>
> The challenge here is that he has specified that she should *not* be able
> to
> change passwords, group memberships, etc. -- she should only be able to
> update the "extra" properties.
>
> I've suggested implementing something like "imanami" and making the users
> themselves responsible for this, but I am not sure if it will fly.
>
> Any / all help would be deeply appreciated...
>
> Alan



Posted by Dedicated_Dad on February 4, 2006, 10:25 am
Please log in for more thread options
Figured I'd post the solution in case it may help someone else...

First I added the "assistant" to the "Account Operators" group. This gave
more rights than necessary, so we needed to 'deny" the extra stuff.

Drilling into the Advanced security properties (make sure you turn on "View
Advanced Features"!) and clicking "Add", after adding the account (or group)
in question, change the "Apply Onto" dropdown to "User Objects" and add the
"Deny" permission for:

Change Password
Modify Permissions
Receive As
Reset Password
Send As

Write Group Membership
Write PwdLastSet (80%)
Write x500uniqueidentifier (99)
Write userpkcs12 (95)
Write usercertificate
write security protocol (90)
write msdrm-identity certificate
write attributecertificateattribute
write attirbutecertificate
write accountexpires

This allows them to edit the address, phone, organization, etc. without
allowing password, group, or other "security-related" changes.

Hope this helps someone...

DD


Posted by Steven L Umbach on February 4, 2006, 11:37 am
Please log in for more thread options
Were you not able to simple grant the regular user the necessary allow
permissions with delegation which simply is an interface to AD object
permissions? That would be better than giving a user membership in a
privileged group and trying to restrict him. Even with what you have done
now that user will definitely be able to create and delete and manage
computer accounts [enable/disable delegation, move them, etc] if that is a
concern and may still be able to create and delete non privileged users and
groups. I try to avoid deny permissions as explicit allow permissions
override inherited deny permissions which sometimes causes unexpected
problems. --- Steve


> Figured I'd post the solution in case it may help someone else...
>
> First I added the "assistant" to the "Account Operators" group. This gave
> more rights than necessary, so we needed to 'deny" the extra stuff.
>
> Drilling into the Advanced security properties (make sure you turn on
> "View
> Advanced Features"!) and clicking "Add", after adding the account (or
> group)
> in question, change the "Apply Onto" dropdown to "User Objects" and add
> the
> "Deny" permission for:
>
> Change Password
> Modify Permissions
> Receive As
> Reset Password
> Send As
>
> Write Group Membership
> Write PwdLastSet (80%)
> Write x500uniqueidentifier (99)
> Write userpkcs12 (95)
> Write usercertificate
> write security protocol (90)
> write msdrm-identity certificate
> write attributecertificateattribute
> write attirbutecertificate
> write accountexpires
>
> This allows them to edit the address, phone, organization, etc. without
> allowing password, group, or other "security-related" changes.
>
> Hope this helps someone...
>
> DD
>



Posted by Roger Abell [MVP] on February 4, 2006, 12:17 pm
Please log in for more thread options

> Were you not able to simple grant the regular user the necessary allow
> permissions with delegation which simply is an interface to AD object
> permissions? That would be better than giving a user membership in a
> privileged group and trying to restrict him. Even with what you have done
> now that user will definitely be able to create and delete and manage
> computer accounts [enable/disable delegation, move them, etc] if that is a
> concern and may still be able to create and delete non privileged users
> and groups. I try to avoid deny permissions as explicit allow permissions
> override inherited deny permissions which sometimes causes unexpected
> problems. --- Steve
>

> . . . avoid deny permissions as explicit allow permissions override
> inherited deny permissions which sometimes causes unexpected problems.

understated !! :) (although quite clear)

I fully agree, poster would likely be far better off if they defined a
custom
group and used positive delegation, of write for only the desired User
object attributes, to that custom group.



>
>> Figured I'd post the solution in case it may help someone else...
>>
>> First I added the "assistant" to the "Account Operators" group. This
>> gave
>> more rights than necessary, so we needed to 'deny" the extra stuff.
>>
>> Drilling into the Advanced security properties (make sure you turn on
>> "View
>> Advanced Features"!) and clicking "Add", after adding the account (or
>> group)
>> in question, change the "Apply Onto" dropdown to "User Objects" and add
>> the
>> "Deny" permission for:
>>
>> Change Password
>> Modify Permissions
>> Receive As
>> Reset Password
>> Send As
>>
>> Write Group Membership
>> Write PwdLastSet (80%)
>> Write x500uniqueidentifier (99)
>> Write userpkcs12 (95)
>> Write usercertificate
>> write security protocol (90)
>> write msdrm-identity certificate
>> write attributecertificateattribute
>> write attirbutecertificate
>> write accountexpires
>>
>> This allows them to edit the address, phone, organization, etc. without
>> allowing password, group, or other "security-related" changes.
>>
>> Hope this helps someone...
>>
>> DD
>>
>
>



Similar ThreadsPosted
Files Associated With Client Component of TCP/IP Properties October 17, 2006, 1:10 am
How to search the properties of all the DCOM objects on a machine at once December 18, 2005, 7:17 pm
Allowing applets to create and write to a file June 8, 2005, 7:50 am
Allowing a local account to log on as batch/service? July 18, 2005, 2:15 am
Allowing Users to Increase Scheduling Priority November 15, 2005, 10:35 pm
Allowing SNMP traffic through "Windows Firewall" on WIN2K3 SP1 October 4, 2005, 7:52 am
IPSec - allowing access to specific ports on specifc IP addresses March 11, 2008, 4:27 pm
Discrepancy between MS Update and MSBSA August 23, 2005, 12:30 pm
what to use for internal update infrastructure? July 18, 2006, 4:06 pm
Base Smart Card CSP Update December 7, 2005, 3:12 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap