Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Password Reset and User Setup Utility

Options
  • 17-03-2014 6:58pm
    #1
    Mr. G
    Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭


    Hi all,

    I'm helping out with this project to allow teachers in a school to change students' passwords and create logins in Active Directory without giving them administrative privileges to the AD server (so group policies, Exchange etc cannot be changed). The idea is to have a piece of software installed on certain computers to allow teachers to only be able to change student passwords and not colleagues or god forbid administrator passwords.

    The second thing is users can remotely shut down the servers through Remote Desktop once they know the IP address of the server. Is there any way to disable remote shut downs unless an administrator is logged in?

    Any ideas?

    Thanks


Comments

  • Options
    #2
    Stuxnet
    Registered Users Posts: 3,735 ✭✭✭Stuxnet


    If you run "secpol.msc"

    Go to Security Settings > Local Policies> User Rights Assignment, scroll down to "Shutdown the system" on the right, you can see who has shutdown rights, add and remove accordingly. You may need to remove the "Remote Users group" if its in there.

    There are probably more elegant ways !!


  • Options
    #3
    ressem
    Registered Users Posts: 2,426 ✭✭✭ressem


    Regarding the delegation of the password reset function,
    the spiceworks article
    http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

    describes how to assign the rights to a group and also protect sensitive accounts.

    Once that is carried out, a batch file / powershell / .Net script is easy enough to create, or they could be trained on the AD Users and Computers running on their own machine.


  • Options
    #4
    Mr. Fancypants
    Registered Users Posts: 1,892 ✭✭✭Mr. Fancypants


    For the AD Users and password resets you can use delegation privilidges in Active Directory and install RSAT on the pcs that will manage it.

    The below article will step you through it
    http://www.petenetlive.com/KB/Article/0000503.htm

    As for users shutting down the servers...that suggests they have admin rights on the servers to do so. How they are going about shutting down the server, are they running a shutdown command from a command prompt or remoting onto the server and shutting it down? Have a look at the local administrators group on the servers and see who is a member of it.


  • Options
    #5
    CptSternn
    Registered Users Posts: 1,530 ✭✭✭CptSternn


    Create an OU for students and another for teachers. Create a GPO that gives the teacher OU admin rights over the student OU and nothing else.


  • Options
    #6
    Mr. G
    Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    Thanks folks


  • Advertisement
Advertisement