{"id":61,"date":"2021-12-06T13:39:21","date_gmt":"2021-12-06T13:39:21","guid":{"rendered":"https:\/\/12stick.de\/?page_id=61"},"modified":"2022-01-22T18:01:37","modified_gmt":"2022-01-22T18:01:37","slug":"how-to","status":"publish","type":"page","link":"https:\/\/www.12beAdmin.com\/?page_id=61","title":{"rendered":"Least Privilege Scenario: Recommended"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>Create 2 security groups:&nbsp;<em>AD-12beAdmin-Manager<\/em>&nbsp;and&nbsp;<em>AD-12beAdmin-User<\/em> or similar fitting your naming conventions.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\" id=\"block-d737a9a8-3d46-45d6-87fb-30cb03bfa93d\"><li>Create a Service\/Task User:&nbsp;<em>AD-12beAdmin-svc<\/em>&nbsp;or similar fitting your naming conventions with a long and complex password, member of&nbsp;<em>AD-12beAdmin-Manager<\/em><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\" id=\"block-c60f3356-2dae-4d22-94ae-01a70ebc51e3\"><li>Delegate Users and Groups in Active directory:<br><br><a href=\"https:\/\/github.com\/gruppenrichtlinien\/12beAdmin#case-1-both-tasks-run-by-ad-12beadmin-svc-delegate-groupuser-creationdeletion-to-ad-12beadmin-manager\"><\/a><strong>Case 1:<\/strong> Both tasks run by&nbsp;<em>AD-12beAdmin-svc<\/em>. Delegate Group\/User creation\/deletion to&nbsp;<em>AD-12beAdmin-Manager<\/em>:<br><br><code>dsAcls \"$GroupPath\" \/I:T \/G AD-12beAdmin-Manager:CCDC;group<\/code><br><code>dsAcls \"$GroupPath\" \/I:S \/G AD-12beAdmin-Manager:GA<\/code><br><code>dsAcls \"$UserPath\" \/I:T \/G AD-12beAdmin-Manager:CCDC;user<\/code><br><code>dsAcls \"$UserPath\" \/I:S \/G AD-12beAdmin-Manager:GA<\/code><br><br><a href=\"https:\/\/github.com\/gruppenrichtlinien\/12beAdmin#case-2-only-disable-accounts-is-performed-by-ad-12beadmin-svc-delegate-disable-user-account-to-manager\"><\/a><strong>Case 2<\/strong>: only disable accounts is performed by&nbsp;<em>AD-12beAdmin-svc<\/em>&nbsp;delegate disable user account to <em>AD-12beAdmin-Manager<\/em><br><code>dsAcls \"$UserPath\" \/I:S \/G AD-12beAdmin-Manager:RPWP;userAccountControl<\/code><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\" id=\"block-08220191-3b69-4284-b821-4a8445fa445a\"><li>Delegate Using&nbsp;<strong>12beAdmin<\/strong><br>Delegate enable user account, reset password and Account expiration to&nbsp;<em>AD-12beAdmin-User<\/em><br><br><code>dsAcls \"$UserPath\" \/I:S \/G \"AD-12beAdmin-User:CA;Reset Password;user\"<\/code><br><code>dsAcls \"$UserPath\" \/I:S \/G AD-12beAdmin-User:RPWP;userAccountControl<\/code><br><code>dsAcls \"$UserPath\" \/I:S \/G AD-12beAdmin-User:RPWP;accountExpires<\/code><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\" id=\"block-b47631d8-1088-48f6-82b4-85004dc1443e\"><li>Add everyone who should be allowed to use <strong>12beAdmin <\/strong>to the <em>AD-12beAdmin-User<\/em> group. e.g. your helpdesk users.<br><br><\/li><li>Use a PAW \/ Adminworkstation \/ Management Server<br><a href=\"https:\/\/github.com\/gruppenrichtlinien\/12beAdmin#rsat---active-directory-users-and-computer-is-required\"><\/a>RSAT &#8211; Active Directory Users and Computer is required. On a Server Operating System just select the RSAT tool from Server Manager. On Windows 10\/11:<br><br><code>Add-WindowsCapability \u2013online \u2013Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0<\/code><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Integrate Tasks: Grant <em>AD-12beAdmin-svc<\/em> the <strong>SeBatchLogonRight <\/strong>(Log on as a batch job). This can be done by Group Policy, filtered to the machine object or manually via secpol.msc (Local Security Policy) or the old ntrights.exe from NT4 Ressource Kit (if you can find it)\u00a0after all the years, there is still no Microsoft Powershell cmdlet to handle User Rights Assignment.\u00a0<br><br><\/li><li>provide every member of the <em>AD-12beAdmin-User<\/em> group access to <code>12beAdmin.ps1<\/code>. This can be an UNC Path.<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Create 2 security groups:&nbsp;AD-12beAdmin-Manager&nbsp;and&nbsp;AD-12beAdmin-User or similar fitting your naming conventions. Create a Service\/Task User:&nbsp;AD-12beAdmin-svc&nbsp;or similar fitting your naming conventions with a long and complex password, member of&nbsp;AD-12beAdmin-Manager Delegate Users and Groups in Active directory: Case 1: Both tasks run by&nbsp;AD-12beAdmin-svc. Delegate Group\/User creation\/deletion to&nbsp;AD-12beAdmin-Manager: dsAcls &#8222;$GroupPath&#8220; \/I:T \/G AD-12beAdmin-Manager:CCDC;groupdsAcls &#8222;$GroupPath&#8220; \/I:S \/G AD-12beAdmin-Manager:GAdsAcls &#8222;$UserPath&#8220; \/I:T &#8230; <a title=\"Least Privilege Scenario: Recommended\" class=\"read-more\" href=\"https:\/\/www.12beAdmin.com\/?page_id=61\" aria-label=\"Mehr Informationen \u00fcber Least Privilege Scenario: Recommended\">Weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-61","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=61"}],"version-history":[{"count":17,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/61\/revisions"}],"predecessor-version":[{"id":230,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/61\/revisions\/230"}],"wp:attachment":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}