Reference Material | Authentication policy for users outside scope
If an authentication policy is created for the administrators and/or helpdesk group, but they are outside the uReset Active Directory scope (“Allow users outside scope” is enabled), the uReset Gatekeeper’s group must be granted permission to read/write relevant information on the user objects.
Complete the steps below to allow administrators/helpdesk users outside of the uReset scope to enroll with Specops uReset.
Pre-requisites: The Active Directory PowerShell snapin
- Save the script below into a file (e.g. “C:\Scripts\uResetUserPermissions.ps1”)
- Dot source the script into a PowerShell session.
- Run the Grant-uResetPermissionForUserOutsideScope cmdlet for each user outside the scope that needs to enroll with uReset.
Command:
# "Dot source the script to load the 'Grant-uResetPermissionForUserOutsideScope' cmdlet. . C:\Scripts\uResetUserPermissions.ps1 # Run this script for each user outside scope that needs to enroll with uReset # GatekeepersGroup: sAMAccountName or DN of the Gatekeepers group (default is 'Specops Authentication Gatekeepers') # TargetUser: sAMAccountName or DN of the target user Grant-uResetPermissionForUserOutsideScope -GatekeepersGroup 'Specops Authentication Gatekeepers' -TargetUser JohnDoe
Script:
$VerbosePreference = 'Continue' $ErrorActionPreference = 'Stop' function Grant-SpecopsPermissionForUserOutsideScope { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$GatekeepersGroup, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$TargetUser, [Parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()] [string]$MobileNumberAttribute='mobile' ) $VerbosePreference = 'Continue' $ErrorActionPreference = 'Stop' Write-Verbose "Gatekeeper's group: $GatekeepersGroup" Write-Verbose "Target user: $TargetUser" $domain = Get-ADDomain try { $gkGroup = Get-ADGroup $GatekeepersGroup $gatekeepersGroup = $domain.NetBIOSName + '\' + $gkGroup.sAMAccountName } catch { throw ("Could not find Gatekeepers group ('{0}') failed." -f $GatekeepersGroup) } try { $user = Get-ADUser $TargetUser $targetUserDn = $user.DistinguishedName } catch { throw ("Could not find target user ('{0}') failed." -f $TargetUser) } [array]$permissionsArray = @( 'CCDC;classStore;', # CreateChild DeleteChild 'LC;;', # List children 'RP;userAccountControl;', 'RP;msDS-User-Account-Control-Computed;', 'RP;pwdLastSet;', # Force password change 'RP;lockoutTime;', # Reset if locked out from AD 'RP;tokenGroups;', # Determine group membership # mobile attribute - change if using a custom mobile attribute "RPWP;$MobileNumberAttribute;" # Read+Write mobile number ) $sb = New-Object System.Text.StringBuilder [void]$sb.Append('"') [void]$sb.Append($targetUserDn) [void]$sb.Append('"') [void]$sb.Append(' /G') $permissionsArray | foreach { [void]$sb.Append(' "') [void]$sb.Append($gatekeepersGroup) [void]$sb.Append(':') [void]$sb.Append($_) [void]$sb.Append('"') } $commandLine = $sb.ToString() function RunDsAcls($commandLine) { $startInfo = New-Object System.Diagnostics.ProcessStartInfo $startInfo.FileName = 'dsacls.exe' $startInfo.Arguments = $commandLine $startInfo.UseShellExecute = $false $startInfo.CreateNoWindow = $true $startInfo.RedirectStandardOutput = $true $startInfo.RedirectStandardError = $true $process = New-Object System.Diagnostics.Process $process.StartInfo = $startInfo Write-Verbose '' Write-Verbose "dsacls $commandLine" Write-Verbose '' $process.Start() | Out-Null $stdout = $process.StandardOutput.ReadToEnd() $stderr = $process.StandardError.ReadToEnd() $process.WaitForExit() if ($process.ExitCode -ne 0) { $msg = ("dsacls failed with exit code {0}." -f $process.ExitCode) Write-Verbose $stdout Write-Verbose $stderr write-verbose $msg throw $msg } Write-Verbose $stdout Write-Verbose "dsacls completed successfully." } Write-Verbose '' Write-Verbose "Will grant permission for `"$($gatekeepersGroup)`" to operate on `"$($targetUserDn)`"." Write-Verbose '' RunDsAcls $commandLine }