Least Privilege Scenario: Recommended

  • Create 2 security groups: AD-12beAdmin-Manager and AD-12beAdmin-User or similar fitting your naming conventions.
  • Create a Service/Task User: AD-12beAdmin-svc or similar fitting your naming conventions with a long and complex password, member of AD-12beAdmin-Manager
  • Delegate Users and Groups in Active directory:

    Case 1: Both tasks run by AD-12beAdmin-svc. Delegate Group/User creation/deletion to AD-12beAdmin-Manager:

    dsAcls "$GroupPath" /I:T /G AD-12beAdmin-Manager:CCDC;group
    dsAcls "$GroupPath" /I:S /G AD-12beAdmin-Manager:GA
    dsAcls "$UserPath" /I:T /G AD-12beAdmin-Manager:CCDC;user
    dsAcls "$UserPath" /I:S /G AD-12beAdmin-Manager:GA

    Case 2: only disable accounts is performed by AD-12beAdmin-svc delegate disable user account to AD-12beAdmin-Manager
    dsAcls "$UserPath" /I:S /G AD-12beAdmin-Manager:RPWP;userAccountControl
  • Delegate Using 12beAdmin
    Delegate enable user account, reset password and Account expiration to AD-12beAdmin-User

    dsAcls "$UserPath" /I:S /G "AD-12beAdmin-User:CA;Reset Password;user"
    dsAcls "$UserPath" /I:S /G AD-12beAdmin-User:RPWP;userAccountControl
    dsAcls "$UserPath" /I:S /G AD-12beAdmin-User:RPWP;accountExpires
  • Add everyone who should be allowed to use 12beAdmin to the AD-12beAdmin-User group. e.g. your helpdesk users.

  • Use a PAW / Adminworkstation / Management Server
    RSAT – Active Directory Users and Computer is required. On a Server Operating System just select the RSAT tool from Server Manager. On Windows 10/11:

    Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~
  • Integrate Tasks: Grant AD-12beAdmin-svc the SeBatchLogonRight (Log on as a batch job). This can be done by Group Policy, filtered to the machine object or manually via secpol.msc (Local Security Policy) or the old ntrights.exe from NT4 Ressource Kit (if you can find it) after all the years, there is still no Microsoft Powershell cmdlet to handle User Rights Assignment. 

  • provide every member of the AD-12beAdmin-User group access to 12beAdmin.ps1. This can be an UNC Path.