Ldap run as admin - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Ldap run as admin

Page 1 of 1

1

Topic Options

#157595 - 2006-02-22 09:54 AM Ldap run as admin
KRB KRB Fresh Scripter Registered: 2004-11-03 Posts: 16	Hi! I made a kix script to creat user. Now i want to publish the script to some user on my system. But they dont have the rights to creat user so i want the script or the ldap to be run with the domain admin account.....? But how....?
Top

#157596 - 2006-02-22 11:13 AM Re: Ldap run as admin
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11629 Loc: CA	Quote: ldap to be run with the domain admin account KRB I really think you should rethink this idea. This is VERY unsecure and could potentially lead to your entire network being compromised and damaged either intentionally or unintenionally by a normal user. If you're running AD you might be able to delegate enough rights for a user to create a user but even that is not recommended. Search for RUNNAS here on the board which might be able to assist you with this task, but again I'd have to recommend against it as I don't think you're quite aware of what you'e asking to do.
Top

#157597 - 2006-02-22 11:36 AM Re: Ldap run as admin
KRB KRB Fresh Scripter Registered: 2004-11-03 Posts: 16	Can you not do something in the script on the ldap as in fx. dsquery /userD:administrator /passwordD:XXXXXXxXXXX
Top

#157598 - 2006-02-22 04:48 PM Re: Ldap run as admin
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11629 Loc: CA	Yes, but my gosh that is even WORSE then anything else you could do. That would be in PLAIN text for every user to see.
Top

#157599 - 2006-02-23 10:44 AM Re: Ldap run as admin
KRB KRB Fresh Scripter Registered: 2004-11-03 Posts: 16	I would use kixcrypt to make an exe file....? Ok, is there anyway you can make a kix script that can creat user in a secure way.......? when domain users are running that script. i have made the script with ldap and i works but if i cant grant the premission to some of my user the script is like nothing worth.
Top

#157600 - 2006-02-23 11:24 AM Re: Ldap run as admin
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11629 Loc: CA	I'm not saying you can't, but if any Director of Security at any large business found you trying to do this I'm sure they would throw the book at you. Why on Earth do you want "normal users" creating other user accounts and all the other permissions that often go with it such as creating folders and shares and setting permissions on those. You as an Administrator can create thousands of accounts within minutes with scripting so I don't see the need to have a normal user create accounts. What if someone, somehow gained access (even as a basic user with no rights) got onto one of your systems. If they saw, found this Domain Admin account with the password they could wipe out your entire network within seconds and you couldn't stop them until it was too late. In reality it would "probably" never happen, but "if" it did then I wouldn't want to be in your shoes. I assume they hired you to do Admin work and creating user accounts is part of being a Network Admin. Please explain in more detail why you want or think you need to have normal users creating user accounts. Please convince me and others why this has to be done this way, As I said though, if you're hell bent on doing this then the RUNNAS program created by Shawn Tassie is about the most secure thing I've seen (barring AD delegation) around anywhere. RUNNAS - Tokenized Runas Utility http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=153599
Top

#157601 - 2006-02-23 11:42 AM Re: Ldap run as admin
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Might be better if you give that specific user "Account Operator" rights. Make sure he has no physical acces to the AD tho. Also in the tool, the tool checks for the user who opens it "if @userid = thisperson". To contradict NTDOC a bit, I manage networks on quite a few schools, on every school I give the head teacher "Account Operator" rights and give him 2 tools, 1 for resetting passwords (only of teacher and students) and one for creating users (again only with teacher and student rights). Besides that I do not allow him to log onto the server not physical and with terminal services I created a loopback policy for teachers so that they can't do anything network wise on the server.
Top

#157602 - 2006-02-23 07:23 PM Re: Ldap run as admin
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11629 Loc: CA	Your methodology is much more controlled and I think you understand what you're doing, while on the other hand I don't think KRB does understand all the implications and proper methods of doing something like this and is not something that can easily be taught in a couple posts here on Korg.
Top

#157603 - 2006-02-24 08:40 AM Re: Ldap run as admin
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Very true. I do feel however that any form of password usage trough scripts should be avoided.
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

0 registered and 1179 anonymous users online.

Newest Members

batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users

Generated in 0.418 seconds in which 0.155 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking