blog.andreas-schreiner.de

Wissen ist Macht. Nichts wissen macht nichts.

Anpassung der Optionen des Active Directory Delegation Wizards

von ·

Mit dem Active Directory Delegation Wizard lassen sich administrative Aufgaben innerhalb des ADs übersichtlich und einfach an einzelne Administratoren(-gruppen) delegieren.

Standardmäßig sind im Delegation Wizard (Windows 2016) 13 Standard-Berechtigungen verfügbar, die man delegieren kann. Diese Liste lässt sich jedoch vielfältig erweitern. Dazu muss die Datei delegwiz.inf im Ordner %WinDir%\inf (bis Windows 2003 R2), bzw. %WinDir%\system32 (ab Windows 2008) angepasst werden.

Möchte man eine neue Berechtigung in die Auswahlliste einbinden, ist diese mit folgender Syntax in die delegwiz.inf Datei einzutragen:

;---------------------------------------------------------
[templateTemplateNumber]
AppliesToClasses=Classes
Description = Description
ObjectTypes = ObjectTypes
[templateTemplateNumber.ObjectTypes]
PermissionEntries
;---------------------------------------------------------

Dabei gilt:
TemplateNumber ist die fortlaufende Nummer des neuen Task-Templates für die Delegierung. Da die ersten 13 Nummern in der delegwiz.inf bereits belegt sind, ist hier mit Nummer 14 zu beginnen und bei jedem neuen Task-Template hochzuzählen.
Classes sind die Objekt-Klassen im AD, für die das Task-Template angewendet werden kann. Mehrere Klassen sind dabei mit Komma zu trennen. Möchte man z.B. ein Task-Template erstellen, das auf Domain-Level, auf OUs und auf Container angewendet werden kann, lautet der Wert domainDNS,organizationalUnit,container.
Description ist die Beschreibung des neuen Tasks, wie der im Anschluss auch im Delegation Wizard angezeigt wird.
ObjectTypes sind die AD Objekt-Typen, die mit dem neuen Task-Template angepasst werden.
PermissionEntries repräsentiert die Berechtigung, die mit dem Task-Template auf Objekte/Container vergeben wird.

Microsoft hat hier ein schönes Template mit 70 Tasks, die man in den Delegation Wizard einbinden kann:

[Version]
signature="$CHICAGO$"

[DelegationTemplates]
Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70

;----------------------------------------------------------
[template1]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create, delete, and manage user accounts"
ObjectTypes = SCOPE, user
[template1.SCOPE]
user=CC,DC
[template1.user]
@=GA
;----------------------------------------------------------
;----------------------------------------------------------
[template2]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset user passwords and force password change at next logon"
ObjectTypes = user
[template2.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------
;----------------------------------------------------------
[template3]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Read all user information"
ObjectTypes = user
[template3.user]
@=RP
;----------------------------------------------------------
;----------------------------------------------------------
[template4]
AppliesToClasses = organizationalUnit,container
Description = "Create, delete and manage groups"
ObjectTypes = SCOPE, group
[template4.SCOPE]
group=CC,DC
[template4.group]
@=GA
;----------------------------------------------------------
;----------------------------------------------------------
[template5]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the membership of a group"
ObjectTypes = group
[template5.group]
member=RP,WP
;----------------------------------------------------------
;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS
Description = "Join a computer to the domain"
ObjectTypes = SCOPE
[template6.SCOPE]
computer=CC
;----------------------------------------------------------
;----------------------------------------------------------
[template7]
AppliesToClasses = domainDNS,organizationalUnit,site
Description = "Manage Group Policy links"
ObjectTypes = SCOPE
[template7.SCOPE]
gPLink=RP,WP
gPOptions=RP,WP
;----------------------------------------------------------
;----------------------------------------------------------
[template8]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Generate Resultant Set of Policy (Planning)"
ObjectTypes = SCOPE
[template8.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)"
;----------------------------------------------------------
;----------------------------------------------------------
[template9]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Generate Resultant Set of Policy (Logging)"
ObjectTypes = SCOPE
[template9.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)"
;----------------------------------------------------------
;----------------------------------------------------------
[template10]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create, delete, and manage inetOrgPerson accounts"
ObjectTypes = SCOPE, inetOrgPerson
[template10.SCOPE]
inetOrgPerson=CC,DC
[template10.inetOrgPerson]
@=GA
;----------------------------------------------------------
;----------------------------------------------------------
[template11]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset inetOrgPerson passwords and force password change at next logon"
ObjectTypes = inetOrgPerson
[template11.inetOrgPerson]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------
;----------------------------------------------------------
[template12]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Read all inetOrgPerson information"
ObjectTypes = inetOrgPerson
[template12.inetOrgPerson]
@=RP
;----------------------------------------------------------
;----------------------------------------------------------
[template13]
AppliesToClasses=container
Description = "Create, Delete, and Manage WMI Filters"
ObjectTypes = SCOPE, msWMI-Som
[template13.SCOPE]
msWMI-Som=CC,DC
[template13.msWMI-Som]
@=GA
;----------------------------------------------------------
;----------------------------------------------------------
[template14]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Create an Organizational Unit"
ObjectTypes = SCOPE
[template14.SCOPE]
organizationalUnit=CC
;----------------------------------------------------------
;----------------------------------------------------------
[template15]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Delete a child Organizational Unit"
ObjectTypes = SCOPE
[template15.SCOPE]
organizationalUnit=DC
;----------------------------------------------------------
;----------------------------------------------------------
[template16]
AppliesToClasses=organizationalUnit
Description = "Delete this Organizational Unit"
ObjectTypes = organizationalUnit
[template16.organizationalUnit]
@=SD
;----------------------------------------------------------
;----------------------------------------------------------
[template17]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename an Organizational Unit"
ObjectTypes = organizationalUnit
[template17.organizationalUnit]
ou=WP
name=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template18]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify Description of an Organizational Unit"
ObjectTypes = organizationalUnit
[template18.organizationalUnit]
description=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template19]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify Managed-By Information of an Organizational Unit"
ObjectTypes = organizationalUnit
[template19.organizationalUnit]
managedBy=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template20]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delegate Control of an Organizational Unit"
ObjectTypes = organizationalUnit
[template20.organizationalUnit]
@=WD
;----------------------------------------------------------
;----------------------------------------------------------
[template21]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a group"
ObjectTypes = SCOPE
[template21.SCOPE]
group=CC
;----------------------------------------------------------
[template22]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete a child group"
ObjectTypes = SCOPE
[template22.SCOPE]
group=DC
;----------------------------------------------------------
;----------------------------------------------------------
[template23]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete this group"
ObjectTypes = group
[template23.group]
@=SD
;----------------------------------------------------------
;----------------------------------------------------------
[template24]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename a group"
ObjectTypes = group
[template24.group]
cn=WP
name=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template25]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the Pre-Windows 2000 compatible name for the group"
ObjectTypes = group
[template25.group]
sAMAccountName=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template26]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the description of a group"
ObjectTypes = group
[template26.group]
description=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template27]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the scope of the group"
ObjectTypes = group
[template27.group]
groupType=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template28]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the type of the group"
ObjectTypes = group
[template28.group]
groupType=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template29]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify notes for a group"
ObjectTypes = group
[template29.group]
info=WP
;----------------------------------------------------------
[template30]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify group membership"
ObjectTypes = group
[template30.group]
member=WP
;----------------------------------------------------------
[template31]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify Managed-By Information of a Group"
ObjectTypes = group
[template31.group]
managedBy=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template32]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a computer account"
ObjectTypes = SCOPE
[template32.SCOPE]
computer=CC
;----------------------------------------------------------
;----------------------------------------------------------
[template33]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete a child computer account"
ObjectTypes = SCOPE
[template33.SCOPE]
computer=DC
;----------------------------------------------------------
[template34]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete this computer account"
ObjectTypes = computer
[template34.computer]
@=SD
;----------------------------------------------------------
;----------------------------------------------------------
[template35]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename a computer account"
ObjectTypes = computer
[template35.computer]
@=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template36]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Disable a computer account"
ObjectTypes = computer
[template36.computer]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template37]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset a computer account"
ObjectTypes = computer
[template37.computer]
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------
;----------------------------------------------------------
[template38]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the computer's description"
ObjectTypes = computer
[template38.computer]
description=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template39]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify Managed-By information for a computer account"
ObjectTypes = computer
[template39.computer]
managedBy=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template40]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify that a computer account be trusted for delegation"
ObjectTypes = computer
[template40.computer]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template41]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a user account in disabled state"
ObjectTypes = SCOPE
[template41.SCOPE]
user=CC
;----------------------------------------------------------
;----------------------------------------------------------
[template42]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a user account"
ObjectTypes = SCOPE , user
[template42.SCOPE]
user=CC
[template42.user]
userAccountControl=WP
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------
;----------------------------------------------------------
[template43]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete a child user account"
ObjectTypes = SCOPE
[template43.SCOPE]
user=DC
;----------------------------------------------------------
[template44]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete this user account"
ObjectTypes = user
[template44.user]
@=SD
;----------------------------------------------------------
;----------------------------------------------------------
[template45]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename a user account"
ObjectTypes = user
[template45.user]
cn=WP
name=WP
distinguishedName=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template46]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Disable a user account"
ObjectTypes = user
[template46.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template47]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Unlock a user account"
ObjectTypes = user
[template47.user]
lockoutTime=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template48]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Enable a disabled user account"
ObjectTypes = user
[template48.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template49]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset a user account's password"
ObjectTypes = user
[template49.user]
CONTROLRIGHT= "Change Password"
;----------------------------------------------------------
;----------------------------------------------------------
[template50]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Force a user account to change the password at the next logon"
ObjectTypes = user
[template50.user]
CONTROLRIGHT= "Reset Password"
userPassword=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template51]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's display name"
ObjectTypes = user
[template51.user]
adminDisplayName=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template52]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user account's description"
ObjectTypes = user
[template52.user]
description=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template53]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's office location"
ObjectTypes = user
[template53.user]
physicalDeliveryOfficeName=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template54]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's telephone number"
ObjectTypes = user
[template54.user]
telephoneNumber=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template55]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the location of a user's primary web page"
ObjectTypes = user
[template55.user]
wWWHomePage=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template56]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's UPN"
ObjectTypes = user
[template56.user]
userPrincipalName=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template57]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's Pre-Windows 2000 user logon name"
ObjectTypes = user
[template57.user]
sAMAccountName=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template58]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the hours during which a user can log on"
ObjectTypes = user
[template58.user]
logonHours=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template59]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the computers from which a user can log on"
ObjectTypes = user
[template59.user]
userWorkstations=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template60]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set User cannot change password for a user account"
ObjectTypes = user
[template60.user]
CONTROLRIGHT= "Change Password"
;----------------------------------------------------------
;----------------------------------------------------------
[template61]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Password Never Expires for a user account"
ObjectTypes = user
[template61.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template62]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Store Password Using Reversible Encryption for a user account"
ObjectTypes = user
[template62.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template63]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Disable a user account"
ObjectTypes = user
[template63.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template64]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Smart card is required for interactive logon for a user account"
ObjectTypes = user
[template64.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template65]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Account is sensitive and cannot be delegated for a user account"
ObjectTypes = user
[template65.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template66]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Use DES encryption types for this account for a user account"
ObjectTypes = user
[template66.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template67]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Do not require Kerberos pre-authentication for a user account"
ObjectTypes = user
[template67.user]
userAccountControl=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template68]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the date when a user account expires"
ObjectTypes = user
[template68.user]
accountExpires=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template69]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify a profile path for a user"
ObjectTypes = user
[template69.user]
profilePath=WP
;----------------------------------------------------------
;----------------------------------------------------------
[template70]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify a logon script for a user"
ObjectTypes = user
[template70.user]
scriptPath=WP
;----------------------------------------------------------

Quellen:
https://docs.microsoft.com/
https://social.technet.microsoft.com/

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre, wie deine Kommentardaten verarbeitet werden.