Authentication policy for users outside scope
If an authentication policy is created for the administrators and/or helpdesk group, but they are outside the Secure Service Desk Gatekeeper’s group must be granted permission to read/write relevant information on the user objects.
Complete the steps below to allow administrators/helpdesk users outside of the Secure Service Desk.
Pre-requisites: The Active Directory PowerShell snapin
-
Save the script below into a file (e.g.
C:\Scripts\uResetUserPermissions.ps1
) - Dot source the script into a PowerShell session.
- Run the Grant-uResetPermissionForUserOutsideScope cmdlet for each user outside the scope that needs to enroll with Secure Service Desk.
Command:
Shell Script
# "Dot source the script to load the 'Grant-uResetPermissionForUserOutsideScope' cmdlet.
. C:\Scripts\uResetUserPermissions.ps1
# Run this script for each user outside scope that needs to enroll with uReset
# GatekeepersGroup: sAMAccountName or DN of the Gatekeepers group (default is 'Specops Authentication Gatekeepers')
# TargetUser: sAMAccountName or DN of the target user
Grant-uResetPermissionForUserOutsideScope -GatekeepersGroup 'Specops Authentication Gatekeepers' -TargetUser JohnDoe
Script:
Shell Script
function Grant-SpecopsPermissionForUserOutsideScope {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]$GatekeepersGroup,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]$TargetUser,
[Parameter(Mandatory = $false)]
[ValidateNotNullOrEmpty()]
[string]$MobileNumberAttribute = 'mobile'
)
$VerbosePreference = 'Continue'
$ErrorActionPreference = 'Stop'
Write-Verbose "Gatekeeper's group: $GatekeepersGroup"
Write-Verbose "Target user: $TargetUser"
$domain = Get-ADDomain
try {
$gkGroup = Get-ADGroup $GatekeepersGroup
$gatekeepersGroup = $domain.NetBIOSName + '\' + $gkGroup.sAMAccountName
} catch {
throw ("Could not find Gatekeepers group ('{0}') failed." -f $GatekeepersGroup)
}
try {
$user = Get-ADUser $TargetUser
$targetUserDn = $user.DistinguishedName
} catch {
throw ("Could not find target user ('{0}') failed." -f $TargetUser)
}
[array]$permissionsArray = @(
'CCDC;classStore;', # CreateChild for classStore
'SD;;' # DeleteChild permission
'LC;;', # List children permission
'RP;userAccountControl;', # Read property userAccountControl
'RP;msDS-User-Account-Control-Computed;', # Read property msDS-User-Account-Control-Computed
'RP;pwdLastSet;', # Read property pwdLastSet
'RP;lockoutTime;', # Read property lockoutTime
'RP;tokenGroups;', # Read property tokenGroups
"RPWP;$MobileNumberAttribute;" # Read/Write property for mobile number (or custom attribute)
)
$sb = New-Object System.Text.StringBuilder
[void]$sb.Append('"')
[void]$sb.Append($targetUserDn)
[void]$sb.Append('" /G')
$permissionsArray | ForEach-Object {
[void]$sb.Append(' "')
[void]$sb.Append($gatekeepersGroup + ':' + $_)
[void]$sb.Append('"')
}
$commandLine = $sb.ToString()
function RunDsAcls($commandLine) {
$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = 'dsacls.exe'
$startInfo.Arguments = $commandLine
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $true
$startInfo.RedirectStandardOutput = $true
$startInfo.RedirectStandardError = $true
$process = New-Object System.Diagnostics.Process
$process.StartInfo = $startInfo
Write-Verbose ''
Write-Verbose "dsacls $commandLine"
Write-Verbose ''
$process.Start() | Out-Null
$stdout = $process.StandardOutput.ReadToEnd()
$stderr = $process.StandardError.ReadToEnd()
$process.WaitForExit()
if ($process.ExitCode -ne 0) {
$msg = ("dsacls failed with exit code {0}." -f $process.ExitCode)
Write-Verbose $stdout
Write-Verbose $stderr
Write-Verbose $msg
throw $msg
}
Write-Verbose $stdout
Write-Verbose "dsacls completed successfully."
}
Write-Verbose ''
Write-Verbose "Will grant permission for `"$($gatekeepersGroup)`" to operate on `"$($targetUserDn)`"."
Write-Verbose ''
RunDsAcls $commandLine
}