Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

The Delegation request type enables a department administrator to modify permissions on an organizational unit in a department OU. A department administrator can submit a delegation request to add or remove one of the defined permissions sets called delegations which are detailed in the Delegations Available section below. A department administrator can request multiple delegations by submitting multiple requests. 

How-To - Request a Delegation via PowerShell script

 Click here to expand...

The Active Directory team maintains a set of PowerShell scripts at https://github.austin.utexas.edu/eis1-aad/RequestsByAttribute to assist department administrators with this process. These scripts must be run on a Windows system joined to the Austin Active Directory and the system must have the Active Directory PowerShell module installed.

  • New-ADDelegationRequest.ps1 - creates a new delegation request for a department
  • Remove-ADDelegationRequst.ps1 - remove a pending delegation request for a department

Request a delegation

  1. Download the scripts in the RequestByAttribute repo to a local directory.
  2. Start a PowerShell session as a department administrator. 

    Complete the following steps in this PowerShell session unless instructed otherwise

  3. Navigate to the directory where the RequestByAttribute scripts are located.
  4. Run the following commands to request a delegation: 

    The following example would be run by EXAMPLE-abc123 who is a department administrator in the EXAMPLE department and would grant the Computer delegation to the EXAMPLE-ComputerAdmins on the OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu organizational unit. The RequestedFor parameter notes that the department administrator is requesting the delegation on behalf of the xyz789 user.

    .\New-ADDelegationRequest.ps1 -Department EXAMPLE -Action Add -Path 'OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu' -Principal 'EXAMPLE-ComputerAdmins' -Delegation Computer -RequestedFor xyz789

How-To - Request a Delegation via ldapmodify

 Click here to expand...

INCOMPLETE


The OpenLDAP ldapmodify client can be leveraged to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Request By Attribute - Technical Details page for more information about the components of the process.

Request a delegation

  1. Ensure that your system is connect to the UT VPN
    • VPN access is required to retrieve a Kerberos ticket
  2. Start a command-line terminal if using a graphical UI
  3. Ensure that the ldapmodify client is available
    • MacOS - included with all modern versions of the 
    • Ubuntu - install the ldap-utils package
    • RHEL - install the openldap-clients package
  4. Create the required LDIF file
  5. Modify then run the following commands to retrieve a Kerberos ticket: 

    Replace the <dept-admin> in the following command with your department administrator username. The domain name must be capitalized. The example-abc123 department administrator would run the following: example-abc123@AUSTIN.UTEXAS.EDU

    kinit <dept-admin>@AUSTIN.UTEXAS.EDU
  6. Run the following commands to request a delegation: 

    ldapmodify -LLL -Q -H "ldap://austin.utexas.edu" -

    ldapmodify

Delegations Available

The following delegations are available via REBA:

 Click here to expand...


Delegation Name

Object Types

Description

DepartmentAll objectsThe standard delegation for Department Administrators on the Department OU.  This is almost full control (without allowing adjusting permissions on OUs or the creation of user, inetOrgPerson and account objects)  This can be used to sub-delegate full control within the Department OU.
ComputerComputerAllows the creation and deletion of computer objects and provides full control of computer objects. Allows access to LAPS passwords and BitLocker recovery information.
ComputerCreateComputerAllows the creation of computer objects.
ComputerDelete ComputerAllows the deletion of computer objects.
ComputerDenyCreateComputerDenies the creation of computer objects. If combined with the Computer delegation, the end result allows deletion of computer objects and provides full control of computer objects.
ComputerLAPSComputerAllows access to the legacy Microsoft LAPS password stored in the ms-Mcs-AdmPwd attribute on computer objects
ComputerWindowsLAPSComputerAllows access to the modern Windows LAPS password attributes on computer objects
ComputerBitLockerComputerAllows access to the BitLocker recovery information stored in a msFVE-RecoveryInformation object under the computer object. The BitLocker recovery information is only created if BitLocker escrow to Active Directory is enabled.
ComputerJoinComputerAllows joining a device to a pre-existing computer object. To allow the creation of computer objects and the ability to join the computer objects to the domain, apply both the Computer Create and Computer Join delegations.

ComputerRename ComputerAllows the renaming of computers.
GroupGroupsProvides full control on groups objects.
Allows creation and deletion of groups.  Allows adding and removing members.  Allows setting managed by.
GroupMembershipGroupsAllows only updating group memberships (add and remove members).
GroupPolicyOrganizational UnitsAllows linking/unlinking of GPOs and modifying link options (enabled/disabled, enforced, order) on Organizational Units
OUOrganizational UnitsAllows the creation, deletion, and rename of Organizational Units, along with editing their description.

Delegation Request String

The request string for a delegation request is a JSON string that contains the following properties: 

Delegation Result String

The result string for a delegation request is a JSON string that contains the following properties: 

  • No labels