0 votes

Adaxes Support,

Is there a way to disable the Nested Group function of Active Directory in Adaxes. We are using some nested groups in rare cases but our corporate standard is to not use nested groups due to the security ramifacations and the complexity of deep nested groups. I have tried to deny rights to the memberof attrubute in the permissions that are applied to Owner (Managed By ) Trustee assigned over the OU that all our groups are in but this attempt did not work. How can we accomplish turning off or blocking users that manage groups to only added members and not nest groups.

Rodney

by (850 points)

1 Answer

0 votes
by (213k points)

Hello Rodney,

There are two ways how you can implement your task.

1. Disallow adding groups to other groups with the help of a Business Rule

You can disallow adding groups to other groups on Adaxes service level, that is, nobody will be able to add groups to other groups in Adaxes. For this purpose you can create a Business Rule executed before adding a member to a Group. When the Business Rule is triggered, it will launch a PowerShell script that will cancel adding member to a group if the new member is another group. If you want to implement this solution, we can help you with the script.

2. Configure Adaxes Web interface

Alternatively, you can configure Adaxes Web interface so that it will not allow adding groups to other groups.

For this purpose, first of all, you need to configure the form that is used for viewing groups and disallow adding/removing group members in the Members section. After doing this, adding/removing members will be possible only in the Member Of section of AD objects or with the help of Home Page Actions. So, to add a user to a group, for example, you will need to locate the necessary user and add him/her to the necessary group in the user's Member Of section. Additionally, you can configure a Home Page Action that will allow to add members to groups and configure the action in such a way that it doesn't allow adding groups to other groups. To implement such a solution:

  1. Launch the Web Interface Configuration tool.
  2. In the Interface type drop-down list, select the Web Interface you want to configure.
  3. Activate the AD Management tab.
  4. Click Customize Forms and Views.
  5. In the dialog box that appears, select the Group object type and activate the View tab.
  6. Select the Members section.
  7. In the Section Parameters section, deselect the Allow adding/removing members option.
  8. Click OK.
  9. For information on how to create a Home Page Action that allows adding members to groups, see Add to Group in Configure Home Page Actions. In Step 3 you will find information on how to allow adding only objects of specific types.

By the way, in our next version that will be available at the end of September it will be possible to specify, which type of objects will be displayed in the Members and Member Of sections and can be added/removed in these sections.

0

I think option 1 will work for us, can you provide the powershell script that can block nested groups?

Thanks,

Rodney

0

Hello Rodney,

Yes, sure, here you are:

$member = $Context.BindToObjectByDN("%member%")

if ($member.Class -ieq "group")
{
    $Context.Cancel("You cannot add groups to other groups!") # TODO: modify me
}

To create a Business Rule that does not allow adding groups to other groups:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select Group and Before Adding a member to a Group.
  3. On the 3rd step, add the Run a program or PowerShell script action and paste the above script in the Script field.

Related questions

0 votes
1 answer

Hi - How can I remove the option of allowing "Copy User Groups" during the copy user process in the interface. I'd like to have it hidden but still active so to not allow our HR team to accidently unclick it during the process.

asked Oct 15 by 6FigureMission (710 points)
0 votes
1 answer

Hi, Is it possible to copy an AD object from within the Web interface?

asked Aug 8, 2011 by nsd1915 (250 points)
0 votes
1 answer

Adaxes support, Is there a way to disable the red x icon in the search results window on a user account. This icon appears by defualt when we disable an account but ... allows is to enable the users picture. Can this be accomplished in the xml config files?

asked Aug 22, 2013 by rjthompson (850 points)
0 votes
1 answer

Hi We have +500 different security groups and more to come. Some groups require approval to join, others not. All groups, that can be selected by end users and user manages, is ... and present them nicely on the WebUI. How do I do that ? - Thanks in advance

asked Aug 20, 2015 by Boxx.dk (11.7k points)
0 votes
0 answers

Good afternoon Support, I have configured a new stack of servers in the same topology of our existing environment but have hit a snag when trying to terminate SSL on the F5 ... 7.13122.0 and 3.7.11926.0 running Windows Server 2012R2 fully patched by Microsoft.

asked Jul 12, 2016 by strikk (2k points)
2,031 questions
1,806 answers
5,156 comments
1,016 users