• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 498
  • Last Modified:

How To Give Permission to Add Users

I had this working before, but now it's not working again for some odd reason and I can't get it to work. I need to allow a user the ability to add user accounts to a specific OU. With the way I have it set up now they can add a user through the script I wrote which uses 'dsadd', but then it gives an error saying there was in error during post create operations due to insufficient access rights. It also disables the account that they created. When I look in the account's settings everything is set up correctly except the group membership. The new users are supposed to be added to "CN=Volunteers,OU=Volunteers,DC=my,DC=domain", but they aren't. What I don't understand though is the user I'm trying to give this ability to has full control over the Volunteers OU which is were the new user is create and the group resides, so this should be working.... Here is the line I am using to add users (i've replaced the variables with constants for demonstration purposes...):

dsadd user "%CN=FirstName LastName,OU=Volunteers,DC=mydomain,DC=com" -samid login_name -upn login_name@mydomain.com -fn "FirstName" -ln "LastName" -display "Display Name" -pwd "temp" -memberof "CN=Volunteers,OU=Volunteers,DC=mydomain,DC=com" -hmdir "\\SERVER\HOME\LOGIN_NAME" -hmdrv Z: -mustchpwd yes
0
Grime121
Asked:
Grime121
  • 9
  • 6
1 Solution
 
exx1976Commented:
How often do you have to add new users, and is it always on the same day of the week?  For instance, my company runs a training class that starts every Monday..  So I just created a VBS to do all the user creations, and it is scheduled to run Monday night after training enters all the user's information into a shared Excel spreadsheet.  The VBS just strips out the info, creates the users, empties the spreadsheet, and then emails training that the users are all set.

Might be easier for you...  You can have the scheduled process run under whatever user ID you want, so...


HTH,
exx
0
 
Grime121Author Commented:
No, there really is no set schedule. It could be weeks before we add a new user, or it could be days.
0
 
Grime121Author Commented:
If no one else knows why that code is not working I'm going to ask to have this question closed.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
exx1976Commented:
Well, first, that's not code, it's an application witha bunch of command line arguments.

Second, why not write a piece of code to do the same thing?

I think the reason you aren't getting an answer to your question is that most people either write VBS to do this, or they delegate permissions over an OU to whatever user they want to have the access, and viola!  They can create users...

Good luck,
exx
0
 
Grime121Author Commented:
That's what I'm trying to do. The title of the thread is 'How to Give Permissions to Add Users'. I think I just haven't given all of the permissions that I need to give or something, because the command line arguments work fine when I am logged in as an Admin. When logged in as a user that I want to allow the creation of users to everything works except it won't let me add the user to a group (and disables the account when I try).
0
 
Grime121Author Commented:
I'm going to ask to have this question closed if no one has responded in the next day or so.
0
 
Grime121Author Commented:
Something really wierd is going on with this... I added the user to the Account Operators group, and it still says insufficient rights when I try to create the user. When I'm logged in as Admin it works fine though.
0
 
Grime121Author Commented:
the problem is with the -memberof %GroupDN%. GroupDN is being set to "CN=Volunteers,OU=Volunteers,DC=<mydomain>,DC=local", which is correct. When a non-admin user tries to add someone to that group, they get the error "insufficient access rights".... even if they belong to the Account Operators group. The group is just a normal global security group. It doesn't have an owner, although at one time it did. I tried moving it from the OU 'Volunteers' to the 'Users' container to see if that helped, but I got the same error.
0
 
exx1976Commented:
Check to make sure that user X has the proper permissions on that group to be able to add/remove to/from it...

0
 
Grime121Author Commented:
Well, they are Account Operators, so they should already have permissions on the group. I looked around though to try and find a place where I could delegate control of that group, but I couldn't find anything. I can delegate control over the OU that the group is in, but I've already tried giving them full permission to the OU, and that didn't help.
0
 
exx1976Commented:
Yes, but did you check the permissions ON THE GROUP?  You know, each object has a little security tab??  Did you look at it to see if that user actually HAS the permissions that you assume he does?
0
 
Grime121Author Commented:
The only tabs the group has are 'General', 'Members', 'Member Of', and 'Managed By'. Maybe I need to change something in the domain security policy?
0
 
exx1976Commented:
Click view -> advanced features.  Then there should be a security tab.
0
 
Grime121Author Commented:
Bingo. I knew I had seen a security tab for that group somewhere, but I looked everywhere and couldn't find it. I never thought to enable the Advanced features. Thanks.
0
 
exx1976Commented:
All that, and that's all it was??   Wow..  

Well, in any event, glad I could help.


-exx
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now