| Author | Messages | |
fgonzalez
Posts:1
 | | 12/09/2007 5:36 AM |
| I would like to permit the necessary permissions to do the
users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly) | | | |
| h2bear@msn.com
Posts:51
| | 12/09/2007 7:57 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
Hi Fernando
I believe you will find all
that you are looking for in here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Sunday, December 09, 2007
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
I would like to permit the necessary permissions to do the
users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly) | | | |
| h2bear@msn.com
Posts:51
| | 12/09/2007 8:00 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
Oh and you will want this also.
http://www.microsoftcom/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Fernando González Macías
Sent: Sunday, December 09, 2007
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
I would like to permit the necessary permissions to do the
users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly) | | | |
| fgonzalez
Posts:1
| | 12/10/2007 4:22 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Thanks, Hugh
But I don’t want to delegate
authorizations to my users, I want to permit modify the managed-by attribute of
the computer object – AD schema- by vbscript.
I have the correct script, but it’s
ok when an administrator user is logged, but not, when it’s logged an
normal user.
Thank you.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] En
nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 1:57
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
I believe you will find all that you are looking for in here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Sunday, December 09, 2007
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
I would like to permit the necessary permissions to do the
users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly) | | | |
| listmail
Posts:454
| | 12/10/2007 8:36 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 595.3pt 841.9pt; margin: 70.85pt 3.0cm 70.85pt 3.0cm; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EstiloCorreo17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo18 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo19 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
In order for a script run by a normal user to modify the
managed-by attribute of a computer, you are going to have to delegate normal
users to modify that attribute. Period.
Unless you know the mapping of users to computers, you will
have to let every user be able to modify that attribute on every
computer.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando
González MacíasSent: Monday, December 10, 2007 4:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this attribute of
object computer at the logon user
Thanks,
Hugh
But I dont want
to delegate authorizations to my users, I want to permit modify the managed-by
attribute of the computer object AD schema- by
vbscript.
I have the correct
script, but its ok when an administrator user is logged, but not, when its
logged an normal user.
Thank
you.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática
Diario de Cádiz
(Grupo
Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
En nombre de HughEnviado el: lunes, 10 de diciembre de 2007
1:57Para:
ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Hi
Fernando
I believe you will find all that you are looking for in
here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González
MacíasSent: Sunday, December
09, 2007 2:37 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Modify permissions of
attribute "managed-by" to update by script this attribute of object computer at
the logon user
I would like to permit the necessary
permissions to do the users in the logon, update the attribute managed-by of the
computer object.
How is this option possible?
Thanks in
advance
.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática Diario de
Cádiz
(Grupo
Joly) | | | |
| h2bear@msn.com
Posts:51
| | 12/10/2007 8:46 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
Hi Fernando
Maybe I am still misunderstanding
you, but what I understand is you want your end users to be able to modify the
managed by attribute on their computer object in AD. But other people can not
modify this attribute or were you planning to just allow all your end-users to
modify any computer objects managed by field? If so, by MS this is called
delegating authority.
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Fernando González Macías
Sent: Monday, December 10, 2007
1:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Thanks, Hugh
But I don’t
want to delegate authorizations to my users, I want to permit modify the
managed-by attribute of the computer object – AD schema- by vbscript.
I have the correct
script, but it’s ok when an administrator user is logged, but not, when
it’s logged an normal user.
Thank you.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario
de Cádiz
(Grupo Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 1:57
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
I believe you will find all that you are looking for in here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Sunday, December 09, 2007
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
I would like to permit the necessary permissions to do the users
in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly) | | | |
| fgonzalez
Posts:1
| | 12/10/2007 8:55 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Hi Hugh.
I thinking to do all the operation by
script at the logon process. When the user is loggoned, the logon script to
catch the computer of the user and the username y set the attributed managed-by
with this information.
By default, a normal user hasn´t the
correct permissions to do while the logon process.
Wha’s is the method to do this
operation?
Thanks in advance and excuse me by my poor level of english.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 14:46
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
Maybe I am still misunderstanding you, but what I understand is you want your
end users to be able to modify the managed by attribute on their computer
object in AD. But other people can not modify this attribute or were you
planning to just allow all your end-users to modify any computer objects
managed by field? If so, by MS this is called delegating authority.
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Monday, December 10, 2007
1:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Thanks, Hugh
But I don’t want to delegate
authorizations to my users, I want to permit modify the managed-by attribute of
the computer object – AD schema- by vbscript.
I have the correct script, but it’s
ok when an administrator user is logged, but not, when it’s logged an
normal user.
Thank you.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 1:57
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
I believe you will find all that you are looking for in here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Sunday, December 09, 2007
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this attribute
of object computer at the logon user
I would like to permit the necessary permissions to do the
users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly) | | | |
| neilruston
Posts:153
| | 12/10/2007 9:12 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 595.3pt 841.9pt; margin: 70.85pt 3.0cm 70.85pt 3.0cm; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EstiloCorreo17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo18 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo19 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo20 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo21 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
How about this:
1. Launch Users and Computers
2. Right click root of domain and choose Delegate
Authority
3. Add group 'Authenticated Users'
4. Select 'Custom task'
5. Select object type 'Computer
objects'
6. Select 'Property-specific' and select 'Read managedBy'
and 'Write managedBy'
7. Click Finish
Quick and dirty but it does work :)
neil
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando
González MacíasSent: 10 December 2007 13:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this attribute of
object computer at the logon user
Hi
Hugh.
I thinking to do
all the operation by script at the logon process. When the user is loggoned, the
logon script to catch the computer of the user and the username y set the
attributed managed-by with this information.
By default, a normal
user hasn´t the correct permissions to do while the logon
process.
Whas is the method to
do this operation?
Thanks in
advance and excuse me by my poor level of
english.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática
Diario de Cádiz
(Grupo
Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
En nombre de HughEnviado el: lunes, 10 de diciembre de 2007
14:46Para:
ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Hi
Fernando
Maybe I am still misunderstanding you, but what I understand is you want your
end users to be able to modify the managed by attribute on their computer object
in AD. But other people can not modify this attribute or were you planning to
just allow all your end-users to modify any computer objects managed by field?
If so, by MS this is called delegating authority.
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González
MacíasSent: Monday, December
10, 2007 1:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Thanks,
Hugh
But I dont want
to delegate authorizations to my users, I want to permit modify the managed-by
attribute of the computer object AD schema- by
vbscript.
I have the correct
script, but its ok when an administrator user is logged, but not, when its
logged an normal user.
Thank
you.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática
Diario de Cádiz
(Grupo
Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
En nombre de HughEnviado el: lunes, 10 de diciembre de 2007
1:57Para:
ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Hi
Fernando
I believe you will find all that you are looking for in
here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González
MacíasSent: Sunday, December
09, 2007 2:37 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Modify permissions of
attribute "managed-by" to update by script this attribute of object computer at
the logon user
I would like to permit the necessary
permissions to do the users in the logon, update the attribute managed-by of the
computer object.
How is this option possible?
Thanks in
advance
.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática Diario de
Cádiz
(Grupo
Joly)
Barclays Wealth is the wealth management division of
Barclays Bank PLC. This email may relate to or be sent from other members of the
Barclays Group.
The availability of products and services may be
limited by the applicable laws and regulations in certain jurisdictions. The
Barclays Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might be at
your own risk.
This e-mail and any attachments are confidential and
intended solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received
this e-mail in error, please notify the sender immediately, delete it from your
system and do not copy, disclose or otherwise act upon any part of this e-mail
or its attachments.
Internet communications are not guaranteed to be
secure or virus-free. The Barclays Group does not accept responsibility for any
loss arising from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any viruses.
Replies to this e-mail may be monitored by the Barclays Group for operational or
business reasons.
Any opinion or other information in this e-mail or
its attachments that does not relate to the business of the Barclays Group is
personal to the sender and is not given or endorsed by the Barclays
Group.
Barclays Bank PLC. Registered in England and Wales
(registered no. 1026167).Registered Office: 1 Churchill Place, London, E14
5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the
Financial Services Authority. | | | |
| h2bear@msn.com
Posts:51
| | 12/10/2007 9:16 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
So you want to set the “managed by”
field by what machine they logon to. I am not sure you want to do this. Not
sure how you have your GPO setup, but if you think about it. Depending upon
what sort of access people have to different peoples systems and to where you
have your servers vs laptops and desktops. I could become the owner of more
than just my machine my walking around and logging on to every machine that I have
access to. I personally would not want to do this. I think it would be better
to control this at the time you hand the system over to the person and leave at
that. I would stay away from this type of scripting for security reasons.
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Monday, December 10, 2007
5:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Hugh.
I thinking to do
all the operation by script at the logon process. When the user is loggoned,
the logon script to catch the computer of the user and the username y set the
attributed managed-by with this information.
By default, a normal user
hasn´t the correct permissions to do while the logon process.
Wha’s is the method
to do this operation?
Thanks in advance and excuse me by my poor level of english.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario
de Cádiz
(Grupo Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 14:46
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
Maybe I am still misunderstanding you, but what I understand is you want your
end users to be able to modify the managed by attribute on their computer
object in AD. But other people can not modify this attribute or were you
planning to just allow all your end-users to modify any computer objects
managed by field? If so, by MS this is called delegating authority.
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Monday, December 10, 2007
1:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Thanks, Hugh
But I don’t
want to delegate authorizations to my users, I want to permit modify the
managed-by attribute of the computer object – AD schema- by vbscript.
I have the correct
script, but it’s ok when an administrator user is logged, but not, when
it’s logged an normal user.
Thank you.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario
de Cádiz
(Grupo Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 1:57
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
I believe you will find all that you are looking for in here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Fernando González Macías
Sent: Sunday, December 09, 2007
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
I would like to permit the necessary permissions to do the
users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly) | | | |
| fgonzalez
Posts:1
| | 12/11/2007 5:34 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Thank you, very much, Neil.
One question to confirm. I think that
when to delegate control to any groups of users, the administrator’s Group
too they have this authorization. Is this correct?
Thanks in advance…
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de neil.ruston@barclayswealth.com
Enviado el: lunes, 10 de diciembre
de 2007 15:13
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
How about this:
1. Launch Users and Computers
2. Right click root of domain and choose
Delegate Authority
3. Add group 'Authenticated Users'
4. Select 'Custom task'
5. Select object type 'Computer objects'
6. Select 'Property-specific' and select
'Read managedBy' and 'Write managedBy'
7. Click Finish
Quick and dirty but it does work :)
neil
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: 10 December 2007 13:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Hugh.
I thinking to do all the operation
by script at the logon process. When the user is loggoned, the logon script to
catch the computer of the user and the username y set the attributed managed-by
with this information.
By default, a normal user hasn´t the
correct permissions to do while the logon process.
Wha’s is the method to do this
operation?
Thanks in advance and excuse me by my poor level of english.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] En nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 14:46
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
Maybe I am still misunderstanding you, but what I understand is you want your
end users to be able to modify the managed by attribute on their computer
object in AD. But other people can not modify this attribute or were you
planning to just allow all your end-users to modify any computer objects
managed by field? If so, by MS this is called delegating authority.
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Monday, December 10, 2007
1:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Thanks, Hugh
But I don’t want to delegate
authorizations to my users, I want to permit modify the managed-by attribute of
the computer object – AD schema- by vbscript.
I have the correct script, but it’s
ok when an administrator user is logged, but not, when it’s logged an
normal user.
Thank you.
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
De: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] En
nombre de Hugh
Enviado el: lunes, 10 de diciembre
de 2007 1:57
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
Hi Fernando
I believe you will find all that you are looking for in here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González Macías
Sent: Sunday, December 09, 2007
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this
attribute of object computer at the logon user
I would like to permit the necessary permissions to do the
users in the logon, update the attribute managed-by of the computer object.
How is this option possible?
Thanks in advance….
Fernando González Macías
fgonzalez @ grupojoly.com
Dpto. Informática Diario de Cádiz
(Grupo Joly)
Barclays Wealth is the wealth management division of
Barclays Bank PLC. This email may relate to or be sent from other members of
the Barclays Group.
The
availability of products and services may be limited by the applicable laws and
regulations in certain jurisdictions. The Barclays Group does not normally
accept or offer business instructions via internet email. Any action that you
might take upon this message might be at your own risk.
This
e-mail and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under applicable
law. If you are not the addressee, or have received this e-mail in error,
please notify the sender immediately, delete it from your system and do not
copy, disclose or otherwise act upon any part of this e-mail or its
attachments.
Internet
communications are not guaranteed to be secure or virus-free. The Barclays
Group does not accept responsibility for any loss arising from unauthorised
access to, or interference with, any Internet communications by any third
party, or from the transmission of any viruses. Replies to this e-mail may be
monitored by the Barclays Group for operational or business reasons.
Any
opinion or other information in this e-mail or its attachments that does not
relate to the business of the Barclays Group is personal to the sender and is
not given or endorsed by the Barclays Group.
Barclays
Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays
Bank PLC is authorised and regulated by the Financial Services Authority. | | | |
| neilruston
Posts:153
| | 12/11/2007 7:05 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 595.3pt 841.9pt; margin: 70.85pt 3.0cm 70.85pt 3.0cm; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman"; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.EstiloCorreo17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo18 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo19 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo20 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo21 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EstiloCorreo23 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
If I understand your question, then yes, Administrators and
Domain Admins have the rights to perform the below steps.
neil
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando
González MacíasSent: 11 December 2007 10:34To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify
permissions of attribute "managed-by" to update by script this attribute of
object computer at the logon user
Thank you, very much,
Neil.
One question to
confirm. I think that when to delegate control to any groups of users, the
administrators Group too they have this authorization. Is this
correct?
Thanks in
advance
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática
Diario de Cádiz
(Grupo
Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
En nombre de
neil.ruston@barclayswealth.comEnviado el: lunes, 10 de diciembre de 2007
15:13Para:
ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
How about
this:
1. Launch Users and
Computers
2. Right click root of
domain and choose Delegate Authority
3. Add group
'Authenticated Users'
4. Select 'Custom
task'
5. Select object type
'Computer objects'
6. Select
'Property-specific' and select 'Read managedBy' and 'Write
managedBy'
7. Click
Finish
Quick and dirty but it
does work :)
neil
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González
MacíasSent: 10 December 2007
13:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Hi
Hugh.
I thinking to do
all the operation by script at the logon process. When the user is loggoned, the
logon script to catch the computer of the user and the username y set the
attributed managed-by with this information.
By default, a normal
user hasn´t the correct permissions to do while the logon
process.
Whas is the method to
do this operation?
Thanks in
advance and excuse me by my poor level of
english.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática
Diario de Cádiz
(Grupo
Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
En nombre de HughEnviado el: lunes, 10 de diciembre de 2007
14:46Para:
ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Hi
Fernando
Maybe I am still misunderstanding you, but what I understand is you want your
end users to be able to modify the managed by attribute on their computer object
in AD. But other people can not modify this attribute or were you planning to
just allow all your end-users to modify any computer objects managed by field?
If so, by MS this is called delegating authority.
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González
MacíasSent: Monday, December
10, 2007 1:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Thanks,
Hugh
But I dont want
to delegate authorizations to my users, I want to permit modify the managed-by
attribute of the computer object AD schema- by
vbscript.
I have the correct
script, but its ok when an administrator user is logged, but not, when its
logged an normal user.
Thank
you.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática
Diario de Cádiz
(Grupo
Joly)
De:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
En nombre de HughEnviado el: lunes, 10 de diciembre de 2007
1:57Para:
ActiveDir@mail.activedir.orgAsunto: RE: [ActiveDir] Modify permissions
of attribute "managed-by" to update by script this attribute of object computer
at the logon user
Hi
Fernando
I believe you will find all that you are looking for in
here.
http://www.microsoftcom/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
Hugh
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Fernando González
MacíasSent: Sunday, December
09, 2007 2:37 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Modify permissions of
attribute "managed-by" to update by script this attribute of object computer at
the logon user
I would like to permit the necessary
permissions to do the users in the logon, update the attribute managed-by of the
computer object.
How is this option possible?
Thanks in
advance
.
Fernando González
Macías
fgonzalez @
grupojoly.com
Dpto. Informática Diario de
Cádiz
(Grupo
Joly)
Barclays Wealth is the wealth
management division of Barclays Bank PLC. This email may relate to or be sent
from other members of the Barclays Group.
The availability of products and
services may be limited by the applicable laws and regulations in certain
jurisdictions. The Barclays Group does not normally accept or offer business
instructions via internet email. Any action that you might take upon this
message might be at your own risk.
This e-mail and any attachments are
confidential and intended solely for the addressee and may also be privileged or
exempt from disclosure under applicable law. If you are not the addressee, or
have received this e-mail in error, please notify the sender immediately, delete
it from your system and do not copy, disclose or otherwise act upon any part of
this e-mail or its attachments.
Internet communications are not
guaranteed to be secure or virus-free. The Barclays Group does not accept
responsibility for any loss arising from unauthorised access to, or interference
with, any Internet communications by any third party, or from the transmission
of any viruses. Replies to this e-mail may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in
this e-mail or its attachments that does not relate to the business of the
Barclays Group is personal to the sender and is not given or endorsed by the
Barclays Group.
Barclays Bank PLC. Registered in
England and Wales (registered no. 1026167).Registered Office: 1 Churchill
Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and
regulated by the Financial Services
Authority.
Barclays Wealth is the wealth management division of
Barclays Bank PLC. This email may relate to or be sent from other members of the
Barclays Group.
The availability of products and services may be
limited by the applicable laws and regulations in certain jurisdictions. The
Barclays Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might be at
your own risk.
This e-mail and any attachments are confidential and
intended solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received
this e-mail in error, please notify the sender immediately, delete it from your
system and do not copy, disclose or otherwise act upon any part of this e-mail
or its attachments.
Internet communications are not guaranteed to be
secure or virus-free. The Barclays Group does not accept responsibility for any
loss arising from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any viruses.
Replies to this e-mail may be monitored by the Barclays Group for operational or
business reasons.
Any opinion or other information in this e-mail or
its attachments that does not relate to the business of the Barclays Group is
personal to the sender and is not given or endorsed by the Barclays
Group.
Barclays Bank PLC. Registered in England and Wales
(registered no. 1026167).Registered Office: 1 Churchill Place, London, E14
5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the
Financial Services Authority. | | | |
|
|