The Active Directory team maintains a set of PowerShell scripts at https://github.austin.utexas.edu/eis1-aad/RequestsByAttribute to assist department administrators with this process. These scripts must be run on a Windows system joined to the Austin Active Directory and the system must have the Active Directory PowerShell module installed.

• Get-ADRequests.ps1 - displays the pending requests for a department
• Get-ADResults.ps1 - displays the results of any requests for a department
• Add-ADDelegationRequest.ps1 - submits a new delegation request for a department
• Remove-ADDelegationRequst.ps1 - remove a pending delegation request for a department

Request a delegation

1. Download the scripts in the RequestByAttribute repo to a local directory.

2. Start a PowerShell session as a department administrator. 

   Complete the following steps in this PowerShell session unless instructed otherwise

   
   

3. Navigate to the directory where the RequestByAttribute scripts are located.

4. Run the following commands to request a delegation: 

   The following example would submit a request to grant the Computer delegation to the EXAMPLE-ComputerAdmins on the OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu organizational unit. The example must be run by a department administrator in the EXAMPLE department.

   
   

   .\Add-ADDelegationRequest.ps1 -Department 'EXAMPLE' -Action 'Grant' -Delegation 'Computer' -Principal 'EXAMPLE-ComputerAdmins' -Path 'OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu'

   
   

5. Run the following commands to review the pending request: 

   .\Get-ADRequests.ps1 -Department 'EXAMPLE'

   
   

6. Wait until a few minutes after the next hour. 

   Requests are processed every hour within the first few minutes.

   
   

7. Run the following commands to review the results of the request: 

   .\Get-ADResults.ps1 -Department 'EXAMPLE'

   
   

The OpenLDAP ldapmodify and Kerberos kinit tools can be leveraged together to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Requests By Attribute - Technical Details page for more information about the components of the process.

Request a delegation

1. Ensure that your system is connect to the UT VPN

   VPN access is required to retrieve a Kerberos ticket

   
   

2. Start a command-line terminal if using a graphical UI

3. Ensure that the required packages are installed: 

   Operating System	OpenLDAP	Kerberos
   macOS	included	included
   RHEL	openldap-clients	krb5-workstation
   Ubuntu	ldap-util	krb5-user

   
   

4. Modify then save the contents of the following code block to define the delegation request:

   dn: ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu changetype: modify add: utexasEduAustinMulti1 utexasEduAustinMulti1: {"Timestamp":"2024-03-01T12:00:00.000Z","Type":"Delegation","Action":"Grant","Delegation":"Group","Principal":"EXAMPLE-ComputerAdmins","Path":"OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu","RequestedBy":"EXAMPLE-abc123"}

   
   

5. Modify then run the following commands to retrieve a Kerberos ticket:

   Replace the <dept-admin> in the following command with your department administrator username. The domain name must be capitalized. The example-abc123 department administrator would run the following: example-abc123@AUSTIN.UTEXAS.EDU

   
   

   kinit <dept-admin>@AUSTIN.UTEXAS.EDU

   
   

6. Modify then run the following commands to submit the delegation request: 

   Replace example in the LDIF file name with the actual file name

   
   

   ldapmodify -Q -H "ldap://austin.utexas.edu" -f example.ldif

   
   

7. Modify then run the following commands to review the pending request: 

   Replace example in both the DN and filter with the actual department name

   
   

   ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti1

   
   

8. Wait until a few minutes after the next hour. 

   Requests are processed every hour within the first few minutes.

   
   

9. Modify then run the following commands to review the results of the request: 

   Replace example in both the DN and filter with the actual department name

   
   

   ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti2