by scottd at 2012-12-05 23:33:50
This question consists of multiple parts which is why I am posting it here. Here’s what I am facing:by robertskinner at 2012-12-06 04:49:02
1. "Company A" is an outsourcing company that handles the technical helpdesk function for "Company B"
2. "John" is a helpdesk agent at "Company A"
3. "John" does not have rights to login to servers at "Company B"
4. A PowerShell script has been written to, say, unlock a "Company B" user’s AD Account, as well as several other AD admin functions.
5. The only way the script will work is if it is run on a server in "Company B" domain.
I need to modify the script so that John can say, click a button on the GUI Form the script creates, to connect him to the domain of "Company B" and run the rest of the script.
I’m thinking that the first thing I need to do is have the script only accessible to certain AD groups at "Company A" for starters.
Next, Assuming that a user with rights to run the script actually runs it, I need the script to access the "C ompany B" domain as a service account. The Service Account having the necessary rights to perform the AD functions that the script needs to do.
Finally, I need to create some kind of audit log that shows that "John" executed the script at such-and-such a time and performed these functions with the script at "Company B".
For simplicity’s sake, let’s say that the script just asks for the "Company B" user’s ID and when "John" clicks on the button in the form to do so, the script executes the command: Unlock-ADAccount <UserID>
Does anyone out there have any thoughts on how this can happen? Yes, I know this could all be solved by giving "John" the necessary rights to access a server in the domain of "Company B" but that’s not an option at this point. Any help would be greatly appreciated. Thanks, my PS Friends!
So if all the script is doing is unlocking AD accounts, I would have each "option" point to the AD server in each domain. So when they click option A or B it’s going through the same routine but the target is the AD server of that domain. Each choice would be unique, so your transaction log would be simple enough to include that this option was chosen, to it’s company A, on this date, for this user by John. Since you can design it to ask for the credentials after he chooses his option (It’s like a choose your own adventure book =] ). Authenticating to run the remote command would be simple enough assuming he has the proper privileges to do so on the AD in each domain. Since you are using the AD tools, you can just add ‘-server youradserver0101.domain.local’ to each of the options for the different company domains. I work in a Development, Staging and Production environment, so some of my maintenance scripts need to do just that, hard code in the AD controller to work, as well as ask for the different credentials when necessary. Most of what privileges John will need will be defined by AD security more so then needing to give the script the permissions.