Privelages for Local Security Group Management

[Brad Baker]

Our developers are writing a web application to allow our end users to
manage their own active directory accounts (create accounts, delete accounts
etc). This web application impersonates an account with account operator
privileges in active directory.

The web application can create and manage active directory accounts without
problems. However the web application also needs to be able to add Active
Directory accounts to local security groups on each domain computer. (We're
running a legacy application which supports a degree of AD integration but
still utilizes local security groups on each server for managing
permissions)

Anyway, our problem is that the account we are using for impersonation does
not seem to have proper permissions to manage local security groups on each
domain computer. I could add the account being used for impersonation as a
member of the power users group on each server but my understanding is that
power users have privileges to do much more than just user/group management
so I'm not sure that's such a good idea.

Does anyone have any recommendations on how to allow a domain account
permissions to modify local security groups on domain computers?

Thanks
Brad

 

[Herb Martin]

Our developers are writing a web application to allow our end users to
manage their own active directory accounts (create accounts, delete
accounts etc). This web application impersonates an account with account
operator privileges in active directory.

The web application can create and manage active directory accounts
without problems. However the web application also needs to be able to add
Active Directory accounts to local security groups on each domain
computer. (We're running a legacy application which supports a degree of
AD integration but still utilizes local security groups on each server for
managing permissions)

Anyway, our problem is that the account we are using for impersonation
does not seem to have proper permissions to manage local security groups
on each domain computer. I could add the account being used for
impersonation as a member of the power users group on each server but my
understanding is that power users have privileges to do much more than
just user/group management so I'm not sure that's such a good idea.

It may not be a good idea but it is not 'much' more -- create printers
(which means
loading print drives), manage file and print shares, add users (up to power
user
level), change time (IIRC), run legacy applications (unsafe), and alter
process priority
(BELOW realtime).

There might be something else but that is pretty much it for Power Users.

BTW, can you not go to native mode and use Local Groups on the Domain?

I don't know how the custom app would know unless it is so badly written
as to actually ENUMERATE a fixed group name.

Does anyone have any recommendations on how to allow a domain account
permissions to modify local security groups on domain computers?

You could probably do better if you built your own group but it might be
very
tedious.

 

[Brad Baker]

BTW, can you not go to native mode and use Local Groups on the Domain?
No thats not an option due to how the software works.

You could probably do better if you built your own group but it might be
very tedious.

Any suggestions on how to do that? Given that this is a web application if
there was ever a bug or security hole we would want to limit access as much
as possible. I couldn't really see a way in local users and groups to assign
permissions to a new group?