No announcement yet.

User Permission and Exipry

  • Filter
  • Time
  • Show
Clear All
new posts

  • User Permission and Exipry

    Have had a look around the net and haven't found anything that mentions anything about this.. but it would have to be an issue in every work place..

    We have been discussing about when people go on leave and they give their password to who ever is stepping in for them... Major security issues here..

    What we want to be able to do is , somehow,, Add user1 permissions to user2.. Whilst user1 is away on leave for two weeks..

    We know it is going to be two weeks, so we add an expiry.. so in two weeks time, No2 loses No1's permissions...

    Sound simple enough >>?>

  • #2
    Re: User Permission and Exipry

    first i never tryed it , second the script set expire date(days the user leave)
    and will need to remember the date and fix the expire date again and remove
    the permission .

    On Error Resume Next
    Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D

    Set objUser = GetObject("LDAP://CN=User1,OU=Users,OU=Serverxcompany,dc=serverxs,dc =com")

    intPrimaryGroupID = objUser.Get("primaryGroupID")
    arrMemberOf = objUser.GetEx("memberOf")

    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "The memberOf attribute is not set."
    For each Group in arrMemberOf
    Set objGroup = GetObject("LDAP://" & Group)
    objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array("cn=test user,ou=servertest,dc=serverx,dc=com")
    End If

    'this part whil set expire date to the account
    strExpireDate = "<Date>"
    strUser = "<UserDN>" ' ex. cn=test,ou=Sales,dc=test,dc=com

    set objUser = GetObject("LDAP://" & strUser)
    objUser.AccountExpirationDate = strExpireDate
    WScript.Echo "Set user " & strUser & " to expire on " & strExpireDate
    Any advice is given in good faith and without warranty.
    Please give reputation points where appropriate.


    • #3
      Re: User Permission and Exipry

      nice one.. close but not quite..

      Here you have taken User1's permissions and given them to Test user and then expired the account after 'x' days??

      I don't want to expire any accounts what I need to be able to do is take the group membership away.. So

      So Test user has been given User1's group permissions for 'x' amount of days. At the end of that time, those group permissions are stripped away..

      So I guess you could after 'x' amount of days have a script that reverses the first process ?? Make sense ?

      One thing I thought possible was maybe adding acouple of new fields in AD to store the data, ie group expiry etc.. But then though it would probably be easier to to store it all in SQL and has the script call a webservice hour to check the accounts that are stored in SQL...

      Anyway that was just an idea.. I'm not a developer.