Solved

How To Give Permission to Add Users

Posted on 2004-09-29
16
456 Views
Last Modified: 2008-01-16
I had this working before, but now it's not working again for some odd reason and I can't get it to work. I need to allow a user the ability to add user accounts to a specific OU. With the way I have it set up now they can add a user through the script I wrote which uses 'dsadd', but then it gives an error saying there was in error during post create operations due to insufficient access rights. It also disables the account that they created. When I look in the account's settings everything is set up correctly except the group membership. The new users are supposed to be added to "CN=Volunteers,OU=Volunteers,DC=my,DC=domain", but they aren't. What I don't understand though is the user I'm trying to give this ability to has full control over the Volunteers OU which is were the new user is create and the group resides, so this should be working.... Here is the line I am using to add users (i've replaced the variables with constants for demonstration purposes...):

dsadd user "%CN=FirstName LastName,OU=Volunteers,DC=mydomain,DC=com" -samid login_name -upn login_name@mydomain.com -fn "FirstName" -ln "LastName" -display "Display Name" -pwd "temp" -memberof "CN=Volunteers,OU=Volunteers,DC=mydomain,DC=com" -hmdir "\\SERVER\HOME\LOGIN_NAME" -hmdrv Z: -mustchpwd yes
0
Comment
Question by:Grime121
  • 9
  • 6
16 Comments
 
LVL 18

Expert Comment

by:exx1976
ID: 12192653
How often do you have to add new users, and is it always on the same day of the week?  For instance, my company runs a training class that starts every Monday..  So I just created a VBS to do all the user creations, and it is scheduled to run Monday night after training enters all the user's information into a shared Excel spreadsheet.  The VBS just strips out the info, creates the users, empties the spreadsheet, and then emails training that the users are all set.

Might be easier for you...  You can have the scheduled process run under whatever user ID you want, so...


HTH,
exx
0
 
LVL 1

Author Comment

by:Grime121
ID: 12194103
No, there really is no set schedule. It could be weeks before we add a new user, or it could be days.
0
 
LVL 1

Author Comment

by:Grime121
ID: 12229613
If no one else knows why that code is not working I'm going to ask to have this question closed.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 18

Expert Comment

by:exx1976
ID: 12231408
Well, first, that's not code, it's an application witha bunch of command line arguments.

Second, why not write a piece of code to do the same thing?

I think the reason you aren't getting an answer to your question is that most people either write VBS to do this, or they delegate permissions over an OU to whatever user they want to have the access, and viola!  They can create users...

Good luck,
exx
0
 
LVL 1

Author Comment

by:Grime121
ID: 12231620
That's what I'm trying to do. The title of the thread is 'How to Give Permissions to Add Users'. I think I just haven't given all of the permissions that I need to give or something, because the command line arguments work fine when I am logged in as an Admin. When logged in as a user that I want to allow the creation of users to everything works except it won't let me add the user to a group (and disables the account when I try).
0
 
LVL 1

Author Comment

by:Grime121
ID: 12251246
I'm going to ask to have this question closed if no one has responded in the next day or so.
0
 
LVL 1

Author Comment

by:Grime121
ID: 12251769
Something really wierd is going on with this... I added the user to the Account Operators group, and it still says insufficient rights when I try to create the user. When I'm logged in as Admin it works fine though.
0
 
LVL 1

Author Comment

by:Grime121
ID: 12252028
the problem is with the -memberof %GroupDN%. GroupDN is being set to "CN=Volunteers,OU=Volunteers,DC=<mydomain>,DC=local", which is correct. When a non-admin user tries to add someone to that group, they get the error "insufficient access rights".... even if they belong to the Account Operators group. The group is just a normal global security group. It doesn't have an owner, although at one time it did. I tried moving it from the OU 'Volunteers' to the 'Users' container to see if that helped, but I got the same error.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12252597
Check to make sure that user X has the proper permissions on that group to be able to add/remove to/from it...

0
 
LVL 1

Author Comment

by:Grime121
ID: 12253365
Well, they are Account Operators, so they should already have permissions on the group. I looked around though to try and find a place where I could delegate control of that group, but I couldn't find anything. I can delegate control over the OU that the group is in, but I've already tried giving them full permission to the OU, and that didn't help.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12276982
Yes, but did you check the permissions ON THE GROUP?  You know, each object has a little security tab??  Did you look at it to see if that user actually HAS the permissions that you assume he does?
0
 
LVL 1

Author Comment

by:Grime121
ID: 12278392
The only tabs the group has are 'General', 'Members', 'Member Of', and 'Managed By'. Maybe I need to change something in the domain security policy?
0
 
LVL 18

Accepted Solution

by:
exx1976 earned 500 total points
ID: 12279351
Click view -> advanced features.  Then there should be a security tab.
0
 
LVL 1

Author Comment

by:Grime121
ID: 12282877
Bingo. I knew I had seen a security tab for that group somewhere, but I looked everywhere and couldn't find it. I never thought to enable the Advanced features. Thanks.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12283482
All that, and that's all it was??   Wow..  

Well, in any event, glad I could help.


-exx
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question