Hack 20 Delegate Control of an OU to a User


Rather than use the Delegation of Control
Wizard, use this script to delegate authority over an organizational
unit (OU) to a particular user.
By delegating administrative responsibilities, you can eliminate
the need for multiple administrative accounts that have broad
authority (such as over an entire domain). Although you likely will
still use the predefined Domain Admins group for administration of
the entire domain, you can limit the accounts that are members of the
Domain Admins group to highly trusted administrative users.
Administrative control can be granted to a user or group by using the
Delegation of Control wizard. The Delegation of Control wizard allows
you to select the user or group to which you want to delegate
control, the organizational units and objects you want to grant those
users the right to control, and the permissions to access and modify
objects.
The Code
While using the wizard to do this is straightforward, there is a quick
and easy way to achieve the same effect through VBScript. Just open a
text editor such as Notepad (making sure that Word Wrap is disabled),
type the following script, and save it with a
.vbs extension as
DelegateOU.vbs:
Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network,DC=MY,DC=Domain,
DC=com")
Set sec = ou.Get("ntSecurityDescriptor")
Set acl = sec.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AccessMask = ADS_RIGHT_DS_CREATE_CHILD Or ADS_RIGHT_DS_DELETE_CHILD
ace.ObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"
'User's GUID (schemaIDGuid)
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
ace.Trustee = "MY\Jsmith" 'User to delegate to
acl.AddAce ace
sec.DiscretionaryAcl = acl
ou.Put "ntSecurityDescriptor", Array(sec)
ou.SetInfo
Set ace = Nothing
Set acl = Nothing
Set sec = Nothing
When you run this script, the result is to delegate to the user the
ability to create and delete users in the
MY.DOMAIN.COM/NETWORK/SERVICES/USERS/TEST
organizational unit.
The first line you need to customize to make this work in your own
environment is this one:
Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network," & _
DC=MY,DC=Domain,DC=com")
You must insert the distinguished name (DN) of the
OU to which you want to delegate this right in the LDAP URL section
of the command line. For example, if you want the delegated user to
be able to add and delete users in the OU called
UR.DOMAINHERE.COM/HR/USERS, the line would need to
look like this:
Set ou = GetObject("LDAP:// OU=Users,OU=HR,DC=Ur,DC=Domainhere,DC=com")
Here is another line you need to modify for your environment:
ace.Trustee = "MY\Jsmith" User to delegate to
In the section in double quotes ("MY\Jsmith"), you
must insert the username for the user to whom you want to delegate
the right to add and delete users. For example, if the user that you
want to be able to ADD and
DELETE users is called Janedoe,
the line would look like this:
ace.Trustee = "UR\Janedoe" 'Who is the beneficiary of this ace
Make sure you have the latest scripting engines on the workstation
you run this script from; you can download current scripting engines
from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169).
When working with the Active Directory Services Interface (ADSI), you
must have the same applicable rights you need to use the built-in
administrative tools.
Running the Hack
To run the script, simply create a shortcut to the script and
double-click on the shortcut. The script itself does the rest.
Hans Schefske