Hi All,
I am after some advice on the best way to accomplish a task.
I have written an HTA in VBScript to create domain users that can be given to our helpdesk. The HTA processes a form submitted by users on our intranet, leaving the helpdesk to do the bare minimum as 95% of the new user tasks are completed in the background by the HTA.
Our helpdesk staff do not have admin rights and historically have not created user accounts. The HTA has been developed to farm off the user creation task to them.
I have identified four main tasks the HTA performs that will require admin rights:
[ol]
[li]Create user using Exchange 2007 powershell command.[/li]
[li]'put' users Active Directory properties. Address, Telephone etc.[/li]
[li]Create users' home and tsprofile directory on our NAS file server using FileSystemObject [/li]
[li]Run third party tool 'setACL' to set permissions on user's home and tsprofiles directory on our NAS share.[/li]
[/ol]
What I would realy like to do is to create some kind of 'wrapper' that the HTA runs in, granting all call from the HTA with the correct rights, but I guess this will require .NET or something else far more complicated for my little brain to cope with.
A few things I have thought of:
Delegated rights: Create a script that delegates rights to the HD user at runtime, and removes them after.
Problems:
If the user crashed out of HTA, then delegated rights remain and that means the HD user can use normal AD users and computers to try and create users.
Complicated to script and I don't like the idea of keep changing AD like that.
Runas: Run the four commands with elevated rights.
Problems:
Password Not sure how to run the FSO under runas
Password has to be entered for each command unless I use something like lsrunase that will encrypt the password.
So in short, if anyone can think of a better way or something I haven't thought of, I'd be very grateful if you could point me in that direction.
Many thanks
I am after some advice on the best way to accomplish a task.
I have written an HTA in VBScript to create domain users that can be given to our helpdesk. The HTA processes a form submitted by users on our intranet, leaving the helpdesk to do the bare minimum as 95% of the new user tasks are completed in the background by the HTA.
Our helpdesk staff do not have admin rights and historically have not created user accounts. The HTA has been developed to farm off the user creation task to them.
I have identified four main tasks the HTA performs that will require admin rights:
[ol]
[li]Create user using Exchange 2007 powershell command.[/li]
[li]'put' users Active Directory properties. Address, Telephone etc.[/li]
[li]Create users' home and tsprofile directory on our NAS file server using FileSystemObject [/li]
[li]Run third party tool 'setACL' to set permissions on user's home and tsprofiles directory on our NAS share.[/li]
[/ol]
What I would realy like to do is to create some kind of 'wrapper' that the HTA runs in, granting all call from the HTA with the correct rights, but I guess this will require .NET or something else far more complicated for my little brain to cope with.
A few things I have thought of:
Delegated rights: Create a script that delegates rights to the HD user at runtime, and removes them after.
Problems:
If the user crashed out of HTA, then delegated rights remain and that means the HD user can use normal AD users and computers to try and create users.
Complicated to script and I don't like the idea of keep changing AD like that.
Runas: Run the four commands with elevated rights.
Problems:
Password Not sure how to run the FSO under runas
Password has to be entered for each command unless I use something like lsrunase that will encrypt the password.
So in short, if anyone can think of a better way or something I haven't thought of, I'd be very grateful if you could point me in that direction.
Many thanks
