How can I set up minimal ssh access to AD groups so the help desk can run the command "user unlock aaa (username)" and not have admin access?

[David Lowe 2]

Situation:

We currently need to have our Level 1 help desk contact out Level 3 admins in order to unlock users that lock themselves out while trying to log into Citrix remotely through the Netscaler. The users get prompted to wait 30 minutes before trying again when they call the help desk. The Level 3 admins have to SSH into the Netscaler and run "user unlock aaa (username)" to clear the lock early.

What I am looking for:

We are looking to either, provide minimal ssh access for Level 1, or see if there is a script out there that can be run, i.e., run script that prompts for the username then the script makes the connection and runs the command.

Any help would be greatly appreciated.

[Helge Brust]

Do you have ADM in place? Then built a config template, which has username as variable and uses this command to unlock the user. Then you can give the Level1 group permissions to execute this particular config template.

With that you have a kind of self service unlock.

[Hemang Raval]

Hello David,

You can define specific command policy for same on netscaler or as mentioned in previous email use ADM config job for same.

There is also API available foe same which can be used:

https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/aaa/aaauser

[David Lowe 2]

Thanks for this info. we do have ADM. I will get with the ADM admin and see if we can get this setup as mentioned. Thank you for your assistance.