Solved

How To Give Permission to Add Users

Posted on 2004-09-29
16
444 Views
Last Modified: 2008-01-16
I had this working before, but now it's not working again for some odd reason and I can't get it to work. I need to allow a user the ability to add user accounts to a specific OU. With the way I have it set up now they can add a user through the script I wrote which uses 'dsadd', but then it gives an error saying there was in error during post create operations due to insufficient access rights. It also disables the account that they created. When I look in the account's settings everything is set up correctly except the group membership. The new users are supposed to be added to "CN=Volunteers,OU=Volunteers,DC=my,DC=domain", but they aren't. What I don't understand though is the user I'm trying to give this ability to has full control over the Volunteers OU which is were the new user is create and the group resides, so this should be working.... Here is the line I am using to add users (i've replaced the variables with constants for demonstration purposes...):

dsadd user "%CN=FirstName LastName,OU=Volunteers,DC=mydomain,DC=com" -samid login_name -upn login_name@mydomain.com -fn "FirstName" -ln "LastName" -display "Display Name" -pwd "temp" -memberof "CN=Volunteers,OU=Volunteers,DC=mydomain,DC=com" -hmdir "\\SERVER\HOME\LOGIN_NAME" -hmdrv Z: -mustchpwd yes
0
Comment
Question by:Grime121
  • 9
  • 6
16 Comments
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
How often do you have to add new users, and is it always on the same day of the week?  For instance, my company runs a training class that starts every Monday..  So I just created a VBS to do all the user creations, and it is scheduled to run Monday night after training enters all the user's information into a shared Excel spreadsheet.  The VBS just strips out the info, creates the users, empties the spreadsheet, and then emails training that the users are all set.

Might be easier for you...  You can have the scheduled process run under whatever user ID you want, so...


HTH,
exx
0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
No, there really is no set schedule. It could be weeks before we add a new user, or it could be days.
0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
If no one else knows why that code is not working I'm going to ask to have this question closed.
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
Well, first, that's not code, it's an application witha bunch of command line arguments.

Second, why not write a piece of code to do the same thing?

I think the reason you aren't getting an answer to your question is that most people either write VBS to do this, or they delegate permissions over an OU to whatever user they want to have the access, and viola!  They can create users...

Good luck,
exx
0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
That's what I'm trying to do. The title of the thread is 'How to Give Permissions to Add Users'. I think I just haven't given all of the permissions that I need to give or something, because the command line arguments work fine when I am logged in as an Admin. When logged in as a user that I want to allow the creation of users to everything works except it won't let me add the user to a group (and disables the account when I try).
0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
I'm going to ask to have this question closed if no one has responded in the next day or so.
0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
Something really wierd is going on with this... I added the user to the Account Operators group, and it still says insufficient rights when I try to create the user. When I'm logged in as Admin it works fine though.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:Grime121
Comment Utility
the problem is with the -memberof %GroupDN%. GroupDN is being set to "CN=Volunteers,OU=Volunteers,DC=<mydomain>,DC=local", which is correct. When a non-admin user tries to add someone to that group, they get the error "insufficient access rights".... even if they belong to the Account Operators group. The group is just a normal global security group. It doesn't have an owner, although at one time it did. I tried moving it from the OU 'Volunteers' to the 'Users' container to see if that helped, but I got the same error.
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
Check to make sure that user X has the proper permissions on that group to be able to add/remove to/from it...

0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
Well, they are Account Operators, so they should already have permissions on the group. I looked around though to try and find a place where I could delegate control of that group, but I couldn't find anything. I can delegate control over the OU that the group is in, but I've already tried giving them full permission to the OU, and that didn't help.
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
Yes, but did you check the permissions ON THE GROUP?  You know, each object has a little security tab??  Did you look at it to see if that user actually HAS the permissions that you assume he does?
0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
The only tabs the group has are 'General', 'Members', 'Member Of', and 'Managed By'. Maybe I need to change something in the domain security policy?
0
 
LVL 18

Accepted Solution

by:
exx1976 earned 500 total points
Comment Utility
Click view -> advanced features.  Then there should be a security tab.
0
 
LVL 1

Author Comment

by:Grime121
Comment Utility
Bingo. I knew I had seen a security tab for that group somewhere, but I looked everywhere and couldn't find it. I never thought to enable the Advanced features. Thanks.
0
 
LVL 18

Expert Comment

by:exx1976
Comment Utility
All that, and that's all it was??   Wow..  

Well, in any event, glad I could help.


-exx
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now