We are looking to push some admin functions out to the edge to help lighten the load on the helpdesk/IS department. (Currently 3 people in the department supporting roughly 90 employees and 45 servers.)
What we would like to do is create a webpage that runs a script allowing managers to unlock windows accounts for their staff. The key components we need to capture (for security and auditing purposes) is to 1: log the unlock event to a SQL server (MSDE, Access, or SQL, it doesn't matter) the log needs to have the account unlocked, who unlocked it, and the terminal it came from. 2: We need it to send the IS department an email as soon as the attempt is made with the same information in the log. 3: Have it write an event to the security event log on the DC and 4: We need to restrict it so that only people in a given NTFS group, or OU can access the page and run the script.
My concerns with this are, how much of a security risk is it to open this up to non-IS staff? While it will help staff get unlocked quicker should the IS department be unavailable, I am not 100% convinced it is a sound decision.
Is anyone else doing this? AND, since I am admittedly not a strong programmer, I need some help getting pointed in the right direction on this, ensuring that the code is secure. I have tried to get this to work with powershell scripts, but haven't been successful.
Start Free Trial
