Authentication policy for users outside scope

If an authentication policy is created for the administrators and/or helpdesk group, but they are outside the Secure Service Desk Gatekeeper’s group must be granted permission to read/write relevant information on the user objects.

Complete the steps below to allow administrators/helpdesk users outside of the Secure Service Desk.

Pre-requisites: The Active Directory PowerShell snapin

  1. Save the script below into a file (e.g. C:\Scripts\uResetUserPermissions.ps1 )
  2. Dot source the script into a PowerShell session.
  3. Run the Grant-uResetPermissionForUserOutsideScope cmdlet for each user outside the scope that needs to enroll with Secure Service Desk.

Command:

Copy

Shell Script

# "Dot source the script to load the 'Grant-uResetPermissionForUserOutsideScope' cmdlet.
                . C:\Scripts\uResetUserPermissions.ps1  
                # Run this script for each user outside scope that needs to enroll with uReset
                # GatekeepersGroup: sAMAccountName or DN of the Gatekeepers group (default is 'Specops Authentication Gatekeepers')
                # TargetUser: sAMAccountName or DN of the target user
            Grant-uResetPermissionForUserOutsideScope -GatekeepersGroup 'Specops Authentication Gatekeepers' -TargetUser JohnDoe


Script:

Copy

Shell Script

function Grant-SpecopsPermissionForUserOutsideScope {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string]$GatekeepersGroup,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string]$TargetUser,

        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [string]$MobileNumberAttribute = 'mobile'
    )

    $VerbosePreference = 'Continue'
    $ErrorActionPreference = 'Stop'

    Write-Verbose "Gatekeeper's group: $GatekeepersGroup"
    Write-Verbose "Target user: $TargetUser"

    $domain = Get-ADDomain
    try {
        $gkGroup = Get-ADGroup $GatekeepersGroup
        $gatekeepersGroup = $domain.NetBIOSName + '\' + $gkGroup.sAMAccountName
    } catch {
        throw ("Could not find Gatekeepers group ('{0}') failed." -f $GatekeepersGroup)
    }

    try {
        $user = Get-ADUser $TargetUser
        $targetUserDn = $user.DistinguishedName
    } catch {
        throw ("Could not find target user ('{0}') failed." -f $TargetUser)
    }

    [array]$permissionsArray = @(
        'CCDC;classStore;',                   # CreateChild for classStore
        'SD;;'                    # DeleteChild permission
        'LC;;',                               # List children permission
        'RP;userAccountControl;',             # Read property userAccountControl
        'RP;msDS-User-Account-Control-Computed;',  # Read property msDS-User-Account-Control-Computed
        'RP;pwdLastSet;',                     # Read property pwdLastSet
        'RP;lockoutTime;',                    # Read property lockoutTime
        'RP;tokenGroups;',                    # Read property tokenGroups
        "RPWP;$MobileNumberAttribute;"        # Read/Write property for mobile number (or custom attribute)
    )

    $sb = New-Object System.Text.StringBuilder
    [void]$sb.Append('"')
    [void]$sb.Append($targetUserDn)
    [void]$sb.Append('" /G')

    $permissionsArray | ForEach-Object {
        [void]$sb.Append(' "')
        [void]$sb.Append($gatekeepersGroup + ':' + $_)
        [void]$sb.Append('"')
    }

    $commandLine = $sb.ToString()

    function RunDsAcls($commandLine) {
        $startInfo = New-Object System.Diagnostics.ProcessStartInfo
        $startInfo.FileName = 'dsacls.exe'
        $startInfo.Arguments = $commandLine
        $startInfo.UseShellExecute = $false
        $startInfo.CreateNoWindow = $true
        $startInfo.RedirectStandardOutput = $true
        $startInfo.RedirectStandardError = $true

        $process = New-Object System.Diagnostics.Process
        $process.StartInfo = $startInfo

        Write-Verbose ''
        Write-Verbose "dsacls $commandLine"
        Write-Verbose ''

        $process.Start() | Out-Null

        $stdout = $process.StandardOutput.ReadToEnd()
        $stderr = $process.StandardError.ReadToEnd()
        $process.WaitForExit()

        if ($process.ExitCode -ne 0) {
            $msg = ("dsacls failed with exit code {0}." -f $process.ExitCode)
            Write-Verbose $stdout
            Write-Verbose $stderr
            Write-Verbose $msg
            throw $msg
        }

        Write-Verbose $stdout
        Write-Verbose "dsacls completed successfully."
    }

    Write-Verbose ''
    Write-Verbose "Will grant permission for `"$($gatekeepersGroup)`" to operate on `"$($targetUserDn)`"."
    Write-Verbose ''

    RunDsAcls $commandLine
}