Authentication policy for users outside scope
This content is re-used in multiple places in the documentation. Please take this into account when altering the content.
- uReset 8
- Secure Service Desk
If an authentication policy is created for the administrators and/or helpdesk group, but they are outside the Secure Service Desk Gatekeeper’s group must be granted permission to read/write relevant information on the user objects.
Complete the steps below to allow administrators/helpdesk users outside of the Secure Service Desk.
Pre-requisites: The Active Directory PowerShell snapin
- Save the script below into a file (e.g. “C:\Scripts\uResetUserPermissions.ps1”)
- Dot source the script into a PowerShell session.
- Run the Grant-uResetPermissionForUserOutsideScope cmdlet for each user outside the scope that needs to enroll with Secure Service Desk.
Command:
Shell Script
# "Dot source the script to load the 'Grant-uResetPermissionForUserOutsideScope' cmdlet.
. C:\Scripts\uResetUserPermissions.ps1
# Run this script for each user outside scope that needs to enroll with uReset
# GatekeepersGroup: sAMAccountName or DN of the Gatekeepers group (default is 'Specops Authentication Gatekeepers')
# TargetUser: sAMAccountName or DN of the target user
Grant-uResetPermissionForUserOutsideScope -GatekeepersGroup 'Specops Authentication Gatekeepers' -TargetUser JohnDoe
Script:
Shell Script
$VerbosePreference = 'Continue' $ErrorActionPreference = 'Stop'
function Grant-SpecopsPermissionForUserOutsideScope { [CmdletBinding()]
param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]
[string]$GatekeepersGroup, [Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()] [string]$TargetUser,
[Parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()]
[string]$MobileNumberAttribute='mobile' ) $VerbosePreference =
'Continue' $ErrorActionPreference = 'Stop' Write-Verbose
"Gatekeeper's group: $GatekeepersGroup" Write-Verbose "Target
user: $TargetUser" $domain = Get-ADDomain try {
$gkGroup = Get-ADGroup $GatekeepersGroup
$gatekeepersGroup = $domain.NetBIOSName + '\' +
$gkGroup.sAMAccountName } catch { throw ("Could not
find Gatekeepers group ('{0}') failed." -f $GatekeepersGroup) }
try { $user = Get-ADUser $TargetUser
$targetUserDn = $user.DistinguishedName } catch {
throw ("Could not find target user ('{0}') failed." -f
$TargetUser) } [array]$permissionsArray = @(
'CCDC;classStore;', # CreateChild
DeleteChild 'LC;;', # List
children 'RP;userAccountControl;',
'RP;msDS-User-Account-Control-Computed;',
'RP;pwdLastSet;', # Force password
change 'RP;lockoutTime;', # Reset if
locked out from AD 'RP;tokenGroups;', #
Determine group membership # mobile attribute - change if
using a custom mobile attribute
"RPWP;$MobileNumberAttribute;" # Read+Write mobile
number ) $sb = New-Object System.Text.StringBuilder
[void]$sb.Append('"') [void]$sb.Append($targetUserDn)
[void]$sb.Append('"') [void]$sb.Append(' /G')
$permissionsArray | foreach { [void]$sb.Append(' "')
[void]$sb.Append($gatekeepersGroup)
[void]$sb.Append(':') [void]$sb.Append($_)
[void]$sb.Append('"') } $commandLine = $sb.ToString()
function RunDsAcls($commandLine) { $startInfo =
New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = 'dsacls.exe' $startInfo.Arguments
= $commandLine $startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $true
$startInfo.RedirectStandardOutput = $true
$startInfo.RedirectStandardError = $true $process =
New-Object System.Diagnostics.Process $process.StartInfo =
$startInfo Write-Verbose '' Write-Verbose "dsacls
$commandLine" Write-Verbose '' $process.Start() |
Out-Null $stdout = $process.StandardOutput.ReadToEnd()
$stderr = $process.StandardError.ReadToEnd()
$process.WaitForExit() if ($process.ExitCode -ne 0)
{ $msg = ("dsacls failed with exit code {0}." -f
$process.ExitCode) Write-Verbose $stdout
Write-Verbose $stderr write-verbose $msg
throw $msg } Write-Verbose $stdout
Write-Verbose "dsacls completed successfully." }
Write-Verbose '' Write-Verbose "Will grant permission for
`"$($gatekeepersGroup)`" to operate on `"$($targetUserDn)`"."
Write-Verbose '' RunDsAcls $commandLine }