0 votes

Adaxes Support,

Is there a way to disable the Nested Group function of Active Directory in Adaxes. We are using some nested groups in rare cases but our corporate standard is to not use nested groups due to the security ramifacations and the complexity of deep nested groups. I have tried to deny rights to the memberof attrubute in the permissions that are applied to Owner (Managed By ) Trustee assigned over the OU that all our groups are in but this attempt did not work. How can we accomplish turning off or blocking users that manage groups to only added members and not nest groups.

Rodney

by (80 points)

1 Answer

0 votes
by (215k points)

Hello Rodney,

There are two ways how you can implement your task.

1. Disallow adding groups to other groups with the help of a Business Rule

You can disallow adding groups to other groups on Adaxes service level, that is, nobody will be able to add groups to other groups in Adaxes. For this purpose you can create a Business Rule executed before adding a member to a Group. When the Business Rule is triggered, it will launch a PowerShell script that will cancel adding member to a group if the new member is another group. If you want to implement this solution, we can help you with the script.

2. Configure Adaxes Web interface

Alternatively, you can configure Adaxes Web interface so that it will not allow adding groups to other groups.

For this purpose, first of all, you need to configure the form that is used for viewing groups and disallow adding/removing group members in the Members section. After doing this, adding/removing members will be possible only in the Member Of section of AD objects or with the help of Home Page Actions. So, to add a user to a group, for example, you will need to locate the necessary user and add him/her to the necessary group in the user's Member Of section. Additionally, you can configure a Home Page Action that will allow to add members to groups and configure the action in such a way that it doesn't allow adding groups to other groups. To implement such a solution:

  1. Launch the Web Interface Configuration tool.
  2. In the Interface type drop-down list, select the Web Interface you want to configure.
  3. Activate the AD Management tab.
  4. Click Customize Forms and Views.
  5. In the dialog box that appears, select the Group object type and activate the View tab.
  6. Select the Members section.
  7. In the Section Parameters section, deselect the Allow adding/removing members option.
  8. Click OK.
  9. For information on how to create a Home Page Action that allows adding members to groups, see Add to Group in Configure Home Page Actions. In Step 3 you will find information on how to allow adding only objects of specific types.

By the way, in our next version that will be available at the end of September it will be possible to specify, which type of objects will be displayed in the Members and Member Of sections and can be added/removed in these sections.

0

I think option 1 will work for us, can you provide the powershell script that can block nested groups?

Thanks,

Rodney

0

Hello Rodney,

Yes, sure, here you are:

$member = $Context.BindToObjectByDN("%member%")

if ($member.Class -ieq "group")
{
    $Context.Cancel("You cannot add groups to other groups!") # TODO: modify me
}

To create a Business Rule that does not allow adding groups to other groups:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select Group and Before Adding a member to a Group.
  3. On the 3rd step, add the Run a program or PowerShell script action and paste the above script in the Script field.

Related questions

0 votes
1 answer

Good Afternoon, I have been looking through the forums and I might have missed it, but here's what I'm looking to do. I have 3 groups in my AD environment with Top, Middle ... result Is there a way to show it on the Web interface or create a report like this?

asked Apr 27 by Sandberg94 (210 points)
0 votes
1 answer

Hi - How can I remove the option of allowing "Copy User Groups" during the copy user process in the interface. I'd like to have it hidden but still active so to not allow our HR team to accidently unclick it during the process.

asked Oct 15, 2019 by 6FigureMission (140 points)
0 votes
1 answer

I would like to change department without a script just yet if possible on multiple accounts. If I cant do this then I will entertain custom script Thanks :)

asked Nov 23, 2021 by will17 (330 points)
0 votes
1 answer

When trying to add multiple groups to a user after searching in the group list we are seeing that selecting one group adds that one then the complete list of groups ... from the search results without the list refreshing not just the first group selected?

asked Nov 12, 2021 by techg (240 points)
0 votes
1 answer

We have some accounts that we would like to prevent from changing their password on login when it is expired. This is because we have saml setup on individual interface pages ... of a loophole for us as we require dual factor and use saml to accomplish this.

asked Oct 26, 2021 by mark.it.admin (1.8k points)
2,733 questions
2,469 answers
6,460 comments
1,336,447 users