Zum Inhalt springen
Working with 12beAdmin:
- Create groups that we can use for AD Delegation. I expect you to be familiar with RBAC (Role Based Access Control).
- Create 2 User accounts for each Admin of your company. Where the userpart isidentical but the ending is something you can identify for administrating the TIER, like:
- .CLI and .SRV
- .002 and .001
- .cli and .ad
- MyName.c02 and MyName.s01
- …
- Run 12beAdmin with the higher priviledged user Account. Do not use the account, you want to be a member of the %computername%-Admins group. That would be a „self elevation“ and that could be exploid be an attacker.
- Delegate permissions in AD on OU Level to add members to an existing group and reset the password
- dsAcls.exe „$GroupPath“ /I:S /G „*yourACgroup*:RPWP;member;group“
- dsAcls.exe „$UserPath“ /I:S /G „*yourACgroup*:CA;Reset Password;user“
Bulk Creation of Admin Groups for each Computer
- dsAcls.exe „$GroupPath /I:S /G „*yourACgroup*:GA;;group“
