[ Team LiB ] |
Recipe 7.7 Delegating Control for Managing Membership of a Group7.7.1 ProblemYou want to delegate control of managing the membership of a group. 7.7.2 Solution7.7.2.1 Using a graphical user interface
7.7.2.2 Using a command-line interface> dsacls <GroupDN> /G <GroupName>@DomainName:WP;member; In the following example, the SalesAdmin group will be given rights to modify membership of the PreSales group. > dsacls cn=presales,ou=sales,dc=rallencorp,dc=com /G salesadmins@rallencorp.com:[RETURN]
WP;member;
7.7.2.3 Using VBScript' This code grants write access to the member attribute of a group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Sales,dc=rallencorp,dc=com" strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) '############################ ' Constants '############################ ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 Const ADS_RIGHT_DS_WRITE_PROP = &h20 ' From schemaIDGUID of member attribute Const MEMBER_ATTRIBUTE = "{bf9679c0-0de6-11d0-a285-00aa003049e2}" '############################ ' Create ACL '############################ set objSD = objGroup.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Set WP for member attribute set objACE = CreateObject("AccessControlEntry") objACE.Trustee = strUserOrGroup objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP objACE.AceFlags = 0 objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE.ObjectType = MEMBER_ATTRIBUTE objDACL.AddAce objACE '############################ ' Set ACL '############################ objSD.DiscretionaryAcl = objDACL objGroup.Put "ntSecurityDescriptor", objSD objGroup.SetInfo WScript.Echo "Delegated control of member attribute for " & _ strGroupDN & " to " & strUserOrGroup 7.7.3 DiscussionTo grant a user or group the ability to manage group membership, you have to grant the write property (WP) permission on the member attribute of the target group. You can add this ACE directly using dsacls or more indirectly with ADUC. ADUC in Windows Server 2003 has a new feature that allows you to simply check a box to grant the ability to modify group membership to the object represented by the managedBy attribute. If you want to configure additional permissions, such as the ability to modify the description attribute for the group, you will need to go to the Security tab in ADUC, or specify the appropriate attribute with the /G switch with dsacls. For example, this will grant write property on the description attribute: /G <GroupName>@DomainDNSName:WP;description; 7.7.4 See AlsoRecipe 14.10 for delegating control in Active Directory |
[ Team LiB ] |