| Author | Messages | |
h2bear@msn.com
Posts:51
 | | 12/11/2007 11:28 AM |
| .hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
Hi Fernando
You do understand that by doing what Neil recommends that you are allowing anyone to change the managedby field. Also, most people should already have the read attribute for any thing in AD.By placing someone in the managed by field you give them the ability to change many of the computer attribute settings and can add/remove it from the domain. I am not sure you wish to give this right to any authenticated user in your domain.
Hugh
Subject: RE: [ActiveDir] Modify permissions of attribute "managed-by" to update by script this attribute of object computer at the logon userDate: Tue, 11 Dec 2007 11:34:14 +0100From: fgonzalez@grupojoly.comTo: ActiveDir@mail.activedir.org
.ExternalClass .EC_shape
{;}
.ExternalClass EC_p.MsoNormal, .ExternalClass EC_li.MsoNormal, .ExternalClass EC_div.MsoNormal
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';}
.ExternalClass a:link, .ExternalClass EC_span.MsoHyperlink
{color:blue;text-decoration:underline;}
.ExternalClass a:visited, .ExternalClass EC_span.MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
.ExternalClass p
{margin-right:0cm;margin-left:0cm;font-size:12.0pt;font-family:'Times New Roman';}
.ExternalClass EC_span.EstiloCorreo17
{font-family:Arial;color:windowtext;}
.ExternalClass EC_span.EstiloCorreo18
{font-family:Arial;color:navy;}
.ExternalClass EC_span.EstiloCorreo19
{font-family:Arial;color:navy;}
.ExternalClass EC_span.EstiloCorreo20
{font-family:Arial;color:navy;}
.ExternalClass EC_span.EstiloCorreo21
{font-family:Arial;color:navy;}
.ExternalClass EC_span.EstiloCorreo23
{font-family:Arial;color:navy;}
@page Section1
{size:595.3pt 841.9pt;}
.ExternalClass EC_div.Section1
{page:Section1;}
Thank you, very much, Neil.
One question to confirm. I think that when to delegate control to any groups of users, the administrator’s Group too they have this authorization. Is this correct?
Thanks in advance…
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de neil.ruston@barclayswealth.comEnviado el: lunes, 10 de diciembre de 2007 15:13Para: ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions of attribute "managed-by" to update by script this attribute of object computer at the logon user
How about this:
1. Launch Users and Computers
2. Right click root of domain and choose Delegate Authority
3. Add group 'Authenticated Users'
4. Select 'Custom task'
5. Select object type 'Computer objects'
6. Select 'Property-specific' and select 'Read managedBy' and 'Write managedBy'
7. Click Finish
Quick and dirty but it does work :)
neil
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González MacíasSent: 10 December 2007 13:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify permissions of attribute "managed-by" to update by script this attribute of object computer at the logon user
Hi Hugh.
I thinking to do all the operation by script at the logon process. When the user is loggoned, the logon script to catch the computer of the user and the username y set the attributed managed-by with this information.
By default, a normal user hasn´t the correct permissions to do while the logon process.
Wha’s is the method to do this operation?
Thanks in advance and excuse me by my poor level of english.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de HughEnviado el: lunes, 10 de diciembre de 2007 14:46Para: ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions of attribute "managed-by" to update by script this attribute of object computer at the logon user
Hi Fernando
Maybe I am still misunderstanding you, but what I understand is you want your end users to be able to modify the managed by attribute on their computer object in AD. But other people can not modify this attribute or were you planning to just allow all your end-users to modify any computer objects managed by field? If so, by MS this is called delegating authority.
Hugh
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González MacíasSent: Monday, December 10, 2007 1:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify permissions of attribute "managed-by" to update by script this attribute of object computer at the logon user
Thanks, Hugh
But I don’t want to delegate authorizations to my users, I want to permit modify the managed-by attribute of the computer object – AD schema- by vbscript.
I have the correct script, but it’s ok when an administrator user is logged, but not, when it’s logged an normal user.
Thank you.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de HughEnviado el: lunes, 10 de diciembre de 2007 1:57Para: ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions of attribute "managed-by" to update by script this attribute of object computer at the logon user
Hi Fernando
I believe you will find all that you are looking for in here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González MacíasSent: Sunday, December 09, 2007 2:37 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Modify permissions of attribute "managed-by" to update by script this attribute of object computer at the logon user
I would like to permit the necessary permissions to do the users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority. | | | |
|
|