Authentication policy for users outside scope

If an authentication policy is created for the administrators and/or helpdesk group, but they are outside the uReset Active Directory scope (“Allow users outside scope” is enabled), the uReset Gatekeeper’s group must be granted permission to read/write relevant information on the user objects.

Complete the steps below to allow administrators/helpdesk users outside of the uReset scope to enroll with Specops uReset.

Pre-requisites: The Active Directory PowerShell snapin

  1. Save the script below into a file (e.g. C:\Scripts\uResetUserPermissions.ps1)
  2. Dot source the script into a PowerShell session.
  3. Run the Grant-uResetPermissionForUserOutsideScope cmdlet for each user outside the scope that needs to enroll with uReset.

Command:

Copy

Shell Script

# "Dot source the script to load the 'Grant-uResetPermissionForUserOutsideScope' cmdlet. . C:\Scripts\uResetUserPermissions.ps1   # Run this script for each user outside scope that needs to enroll with uReset
            # GatekeepersGroup: sAMAccountName or DN of the Gatekeepers group (default is 'UReset Gatekeepers') # TargetUser: sAMAccountName or DN of the target user
            Grant-uResetPermissionForUserOutsideScope -GatekeepersGroup 'UReset Gatekeepers' -TargetUser JohnDoe
        


Script:

Copy

Shell Script

$VerbosePreference = 'Continue' $ErrorActionPreference = 'Stop'   function Grant-uResetPermissionForUserOutsideScope { [CmdletBinding()] param(     [Parameter(Mandatory=$true)]     [ValidateNotNullOrEmpty()]
                [string]$GatekeepersGroup,       [Parameter(Mandatory=$true)]     [ValidateNotNullOrEmpty()]     [string]$TargetUser,       [Parameter(Mandatory=$false)]
                [ValidateNotNullOrEmpty()]     [string]$MobileNumberAttribute='mobile' )     $VerbosePreference = 'Continue'     $ErrorActionPreference = 'Stop'
                  Write-Verbose "Gatekeeper's group: $GatekeepersGroup"     Write-Verbose "Target user:        $TargetUser"       $domain = Get-ADDomain
                try     {         $gkGroup = Get-ADGroup $GatekeepersGroup         $gatekeepersGroup = $domain.NetBIOSName + '\' + $gkGroup.sAMAccountName
                }     catch     {         throw ("Could not find Gatekeepers group ('{0}') failed." -f $GatekeepersGroup)
                }       try     {         $user = Get-ADUser $TargetUser         $targetUserDn = $user.DistinguishedName
                }     catch     {         throw ("Could not find target user ('{0}') failed." -f $TargetUser)
                }       [array]$permissionsArray = @(         'CCDC;classStore;',                       # CreateChild DeleteChild
                    'LC;;',                                   # List children
                    'RP;userAccountControl;',         'RP;msDS-User-Account-Control-Computed;',         'RP;pwdLastSet;',                         # Force password change
                    'RP;lockoutTime;',                        # Reset if locked out from AD
                    'RP;tokenGroups;',                        # Determine group membership
                      # mobile attribute - change if using a custom mobile attribute         "RPWP;$MobileNumberAttribute;"            # Read+Write mobile number
                )       $sb = New-Object System.Text.StringBuilder       [void]$sb.Append('"')     [void]$sb.Append($targetUserDn)     [void]$sb.Append('"')
                [void]$sb.Append(' /G')       $permissionsArray | foreach {         [void]$sb.Append(' "')         [void]$sb.Append($gatekeepersGroup)
                    [void]$sb.Append(':')         [void]$sb.Append($_)         [void]$sb.Append('"')     }  
                $commandLine = $sb.ToString()       function RunDsAcls($commandLine)     {         $startInfo = New-Object System.Diagnostics.ProcessStartInfo
                    $startInfo.FileName = 'dsacls.exe'         $startInfo.Arguments = $commandLine         $startInfo.UseShellExecute = $false
                    $startInfo.CreateNoWindow = $true         $startInfo.RedirectStandardOutput = $true         $startInfo.RedirectStandardError = $true
                      $process = New-Object System.Diagnostics.Process         $process.StartInfo = $startInfo           Write-Verbose ''
                    Write-Verbose "dsacls $commandLine"         Write-Verbose ''         $process.Start() | Out-Null
                      $stdout = $process.StandardOutput.ReadToEnd()         $stderr = $process.StandardError.ReadToEnd()           $process.WaitForExit()
                      if ($process.ExitCode -ne 0)         {             $msg = ("dsacls failed with exit code {0}." -f $process.ExitCode)
                        Write-Verbose $stdout             Write-Verbose $stderr             write-verbose $msg
                        throw $msg         }           Write-Verbose $stdout         Write-Verbose "dsacls completed successfully."
                }       Write-Verbose ''     Write-Verbose "Will grant permission for `"$($gatekeepersGroup)`" to operate on `"$($targetUserDn)`"."
                Write-Verbose ''       RunDsAcls $commandLine } |}