0 votes

Hey there,

We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group's members via Outlook. I noticed that, in Adaxes Web UIs, this person gets an 'Access Denied' message when attempting to add or remove members.

Basically, I'd like there to be some logic that says 'When looking at a group... If logged in user = Managed By user for this group, then allow them to modify group membership' without any object specific configuration. Is this possible?

Thanks!

by (60 points)

1 Answer

0 votes
by (18.0k points)

Update 2015

You can use the Owner (Managed By) security principal to grant the permissions. For details, have a look at section Grant rights to add or remove group members of the following tutorial: https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm#assigned.

Original

Hi Kirk,

In one of the nearest releases we are planning to extend Security Roles to allow delegating permissions to object owners. This will allow you to grant the 'add/remove member' right to group managers.

However there is another way to implement what you need.

In 2011.3 it will be possible to use value references in Business Rule conditions. This will allow you to control access to objects based on the whether the operation initiator is the group manager or not.


What you will need to do:

  • With the help of Security Roles allow all users to add/remove members from certain groups (e.g. groups that belong to a Business Unit, or located under an OU).
  • Create a Business Rule that is triggered before adding/removing group members. If the operation initiator is not the group manager, this rule will cancel the operation (see screenshot above). Optionally this Business Rule can submit an approval request to the group manager.
0

Thank you, Eugene.

Is it possible to modify the approach below to account for situations where 'Managed By' property references a group instead of an individual?

0

Hello Kirk,

For now, you can do this with the help of a script:

  1. Create a Business Rule that is triggered before adding or removing members from a group.

  2. Add Run a program or PowerShell script action to the Business Rule.

  3. Specify the following PowerShell script for the action:

      Import-Module Adaxes
     $initiatorDN = "%adm-initiatorDN%"
     $managedByDN = "%managedBy%";
     $domainName = "company.com"; # TODO:
     $allowed = $FALSE;
    
     if ($initiatorDN -eq $managedByDN)
     {
         $allowed = $TRUE;
     }
     else
     {
         foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
         {
             if ($group.DistinguishedName -eq $managedByDN) 
             { 
                 $allowed = $TRUE;
                 break;
             }; 
         }
     }
    
     if (-not $allowed)
     {
         $Context.Cancel("Access is denied");
     }
    
0

Thank you, sir! Very helpful.

0

Here is another script that can be used in the If PowerShell script returns true condition.
The script allows group membership modification for group managers and Adaxes service administrators.

Import-Module Adaxes

$groupDN = "%distinguishedName%"
$initiatorDN = "%adm-initiatorDN%"
$managedByDN = "%managedBy%"
$Context.ConditionIsMet =$True

# Test whether the initiator is a service administrator
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
if ($configurationSetSettings.AdministratorManager.AmIAdministrator())
{
    $Context.ConditionIsMet = $False;
}
else
{
    # Test whether the group is managed by the intiator
    if ($initiatorDN -eq $managedByDN)
    {
        $Context.ConditionIsMet = $False
    }
    else
    {
        $domainName = $Context.GetObjectDomain($initiatorDN)
        foreach ($group in Get-AdmPrincipalGroupMembership $initiatorDN -Server $domainName -adaxesservice localhost)
        {
            if ($group.DistinguishedName -eq $managedByDN)
            {
                $Context.ConditionIsMet = $False
                break
            };
        }
    }
}

To use the script, add the Cancel this operation action to your Business Rule and add the If PowerShell script returns true condition for the action. Use the script in the condition.

Related questions

0 votes
1 answer

We have a potentially complicated sitaution and so far I have no found a solution. Any suggestions will be greatly appreciated. We have specific security groups that ... or see any user details other than the memberships for these specific security groups.

asked Jan 2, 2023 by WannabeGuru (20 points)
0 votes
0 answers

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have ... from their groups without granting them the ability to remove users from all security groups?

asked Mar 25, 2020 by sirslimjim (480 points)
0 votes
1 answer

Is it possible to for security groups that are nested under an OU to inherit that OU's 'Managed By' value? I'd like to grant the OU Owner rights to the security groups ... option is to manually edit each group one by one. Is there a script that automates this?

asked Mar 26, 2020 by sirslimjim (480 points)
0 votes
1 answer

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.0k points)
0 votes
1 answer

I have a dropdown-field on the web surface, which is populated by a script. The script looks up all groups in a specific OU and displays them. In the Property Pattern ... random order. What should i do to show the groups in alphabetical order in the portal?

asked Sep 15, 2020 by lohnag (140 points)
3,298 questions
2,996 answers
7,668 comments
544,227 users