Solved

How To Give Permission to Add Users

Posted on 2004-09-29
16
448 Views
Last Modified: 2008-01-16
I had this working before, but now it's not working again for some odd reason and I can't get it to work. I need to allow a user the ability to add user accounts to a specific OU. With the way I have it set up now they can add a user through the script I wrote which uses 'dsadd', but then it gives an error saying there was in error during post create operations due to insufficient access rights. It also disables the account that they created. When I look in the account's settings everything is set up correctly except the group membership. The new users are supposed to be added to "CN=Volunteers,OU=Volunteers,DC=my,DC=domain", but they aren't. What I don't understand though is the user I'm trying to give this ability to has full control over the Volunteers OU which is were the new user is create and the group resides, so this should be working.... Here is the line I am using to add users (i've replaced the variables with constants for demonstration purposes...):

dsadd user "%CN=FirstName LastName,OU=Volunteers,DC=mydomain,DC=com" -samid login_name -upn login_name@mydomain.com -fn "FirstName" -ln "LastName" -display "Display Name" -pwd "temp" -memberof "CN=Volunteers,OU=Volunteers,DC=mydomain,DC=com" -hmdir "\\SERVER\HOME\LOGIN_NAME" -hmdrv Z: -mustchpwd yes
0
Comment
Question by:Grime121
  • 9
  • 6
16 Comments
 
LVL 18

Expert Comment

by:exx1976
ID: 12192653
How often do you have to add new users, and is it always on the same day of the week?  For instance, my company runs a training class that starts every Monday..  So I just created a VBS to do all the user creations, and it is scheduled to run Monday night after training enters all the user's information into a shared Excel spreadsheet.  The VBS just strips out the info, creates the users, empties the spreadsheet, and then emails training that the users are all set.

Might be easier for you...  You can have the scheduled process run under whatever user ID you want, so...


HTH,
exx
0
 
LVL 1

Author Comment

by:Grime121
ID: 12194103
No, there really is no set schedule. It could be weeks before we add a new user, or it could be days.
0
 
LVL 1

Author Comment

by:Grime121
ID: 12229613
If no one else knows why that code is not working I'm going to ask to have this question closed.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12231408
Well, first, that's not code, it's an application witha bunch of command line arguments.

Second, why not write a piece of code to do the same thing?

I think the reason you aren't getting an answer to your question is that most people either write VBS to do this, or they delegate permissions over an OU to whatever user they want to have the access, and viola!  They can create users...

Good luck,
exx
0
 
LVL 1

Author Comment

by:Grime121
ID: 12231620
That's what I'm trying to do. The title of the thread is 'How to Give Permissions to Add Users'. I think I just haven't given all of the permissions that I need to give or something, because the command line arguments work fine when I am logged in as an Admin. When logged in as a user that I want to allow the creation of users to everything works except it won't let me add the user to a group (and disables the account when I try).
0
 
LVL 1

Author Comment

by:Grime121
ID: 12251246
I'm going to ask to have this question closed if no one has responded in the next day or so.
0
 
LVL 1

Author Comment

by:Grime121
ID: 12251769
Something really wierd is going on with this... I added the user to the Account Operators group, and it still says insufficient rights when I try to create the user. When I'm logged in as Admin it works fine though.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Author Comment

by:Grime121
ID: 12252028
the problem is with the -memberof %GroupDN%. GroupDN is being set to "CN=Volunteers,OU=Volunteers,DC=<mydomain>,DC=local", which is correct. When a non-admin user tries to add someone to that group, they get the error "insufficient access rights".... even if they belong to the Account Operators group. The group is just a normal global security group. It doesn't have an owner, although at one time it did. I tried moving it from the OU 'Volunteers' to the 'Users' container to see if that helped, but I got the same error.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12252597
Check to make sure that user X has the proper permissions on that group to be able to add/remove to/from it...

0
 
LVL 1

Author Comment

by:Grime121
ID: 12253365
Well, they are Account Operators, so they should already have permissions on the group. I looked around though to try and find a place where I could delegate control of that group, but I couldn't find anything. I can delegate control over the OU that the group is in, but I've already tried giving them full permission to the OU, and that didn't help.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12276982
Yes, but did you check the permissions ON THE GROUP?  You know, each object has a little security tab??  Did you look at it to see if that user actually HAS the permissions that you assume he does?
0
 
LVL 1

Author Comment

by:Grime121
ID: 12278392
The only tabs the group has are 'General', 'Members', 'Member Of', and 'Managed By'. Maybe I need to change something in the domain security policy?
0
 
LVL 18

Accepted Solution

by:
exx1976 earned 500 total points
ID: 12279351
Click view -> advanced features.  Then there should be a security tab.
0
 
LVL 1

Author Comment

by:Grime121
ID: 12282877
Bingo. I knew I had seen a security tab for that group somewhere, but I looked everywhere and couldn't find it. I never thought to enable the Advanced features. Thanks.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 12283482
All that, and that's all it was??   Wow..  

Well, in any event, glad I could help.


-exx
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now