|
We're deploying a new application replacing an old, and the design for the new application really wants several hundred AD groups to control access. The old application had no AD integration and used internal user management. Each user may need to be member of between 3 and 20 of these new groups. Am I right in thinking this is a potential problem due to how the user's Kerberos ticket will grow? I want to propose a wild shot solution of standing up a new domain only for holding groups for this application, making them as local groups in this domain, and keep users logging in through the regular domain. Am I right in thinking local groups on a different domain (same forest) will not "pollute" users' Kerberos tickets? We do have an identity management solution in place, so managing user memberships of groups on another domain should not be much of a problem. Is this a totally crazy idea?
|
#
¿
Nov 22, 2019 11:36
|
|
|
|
| # ¿ Apr 25, 2024 20:36 |
|
|
Toast Museum posted:Isn't this the sort of thing AD LDS is for? I don't know, is it? As far as I understand, since an LDS instance is not part of an AD forest, there can't be any trust relationships, and group memberships couldn't really be verified by the LDS server. skipdogg posted:3 to 20 groups shouldn't blow up your token too bad. I've only ran into it a couple times in my career and the users affected had 150+ groups and 2 SIDHistory entries. I definitely remember one situation where a user was prevented from accessing a web application served by an Apache2 server, it threw an error about the Authorize header being too long. I think that user was member of perhaps 50 groups, and it was resolved by removing some group memberships. (Lots of legacy crap that was no longer relevant.) With our naming standards and OU structure, each of these groups would probably be 20-30 characters for the CN, and upwards 110 characters for the full DN.
|
|
#
¿
Nov 22, 2019 18:09
|
|
|
The app is actually SharePoint based, and I wanted to recommend using SP groups, but the vendor strongly discourages that for vague reasons I'm not entirely sure I agree with. I'm not the one to make actual technical decisions on the environment, the most I can do is make recommendations. So really, I hope you don't mind me just using this thread to throw some ideas at the wall before offering them to the real audience. I had the impression that domain local groups in other domains would not be present in your token at all, if you don't log on to that domain, but they do?
|
|
#
¿
Nov 23, 2019 01:14
|
|
|
klosterdev posted:Now that W7 is mostly migrated, I need a way to get any remaining W7 laptops on the domain out of the woodwork. Hot Dog Stand color theme.
|
|
#
¿
Jan 19, 2020 13:00
|
|
|
You can't sit in the parking lot and reach wifi?
|
|
#
¿
Apr 9, 2020 19:27
|
|
|
I'm pretty sure it is possible, and what you want is a security-enabled distribution group. Those may need to be universal groups, not just domain-local or global.
|
|
#
¿
Sep 29, 2020 20:24
|
|
|
PowerShell has a PrintManagement module since Windows 8, I believe. Assuming the printer is installed on the machine, I think you can use the Get-Printer command and then filter by PortName. Perhaps you need to first use Get-PrinterPort to find the appropriate port name.
|
|
#
¿
Apr 23, 2021 21:30
|
|
|
I can't find anything either, and it doesn't look like SQL Server has any concept of pluggable authentication modules or such. You either supply a login/password for SQL Server Authentication, or you supply a Kerberos ticket for Windows Authentication. Now, you could perhaps find something that can supply you a Kerberos ticket via Radius authentication, but that does of course add another step.
|
|
#
¿
Jul 21, 2021 22:37
|
|
|
Not entirely sure where to ask this, but: Do anyone have a suggestion to why I can modify AD objects when using the GUI ADUC snap-in, but not through PowerShell? Both are running as the same user in the same interactive login. Tried three different ways of doing the change via PowerShell and they all fail with a permission denied error: ActiveDirectory module, System.DirectoryServices.DirectoryEntry class, System.DirectoryServivices.AccountManagement.Principal class
|
|
#
¿
Apr 28, 2022 19:31
|
|
|
Disabling some accounts. The user that PowerShell is running as does have the required permission. At least the same user is able to do it via the GUI.
|
|
#
¿
Apr 28, 2022 20:07
|
|
|
You can probably use OBS Studio as a way to do screen sharing hacks. Two ways: Open the live preview in a window, and share that live preview window. You can then adjust and scale the part of the desktop you're sharing by changing the scale and crop in the OBS controls. Or you can install the virtual webcam feature and tell your video meeting app to transmit that as your webcam. This will probably be lower quality, but less mess on your desktop.
|
|
#
¿
Feb 5, 2023 11:48
|
|
|
sporkstand posted:I'm looking for a way for an Azure AD joined machine to ONLY allow logins from local accounts. This is for a machine that some of our computerless users will use to login and do their mandatory trainings. I'd like to have them log in using a local 'Training' account, then once logged in, launch a browser and log into the training system using their personal credentials. These are older machines (with no budget to purchase anything new) so I'd prefer to not have a bunch of user profiles taking up space on the machine if possible. Consider if setting up a Mandatory Profile will solve the goal. It's a way to force a computer to use a specific local profile when a user logs on, and discard that profile again when the user logs off. The user is still logged on with their own credentials, but doesn't get any personalization. https://learn.microsoft.com/en-us/windows/client-management/mandatory-user-profile Edit: After re-reading that article I'm no longer so sure if this would solve your use case. First, it might not be possible with Azure AD, and second it might be a global property for the user rather than something you can set up per-machine. nielsm fucked around with this message at 07:20 on Mar 25, 2023 |
|
#
¿
Mar 25, 2023 07:12
|
|
|
If you want to do it interactively from Explorer, your only choice is basically to create an interactive logon session (such as Remote Desktop) as the user that has permission to access those file shares. If it's something you can script your way out of, PowerShell is very convenient for collecting credentials once and then reusing those for establishing multiple connections to different machines.
|
|
#
¿
Mar 29, 2023 18:48
|
|
|
Crosby B. Alfred posted:Does anyone here ever work with MIM outside of the synchronization engine with AD? Has anyone done integrations into other LDAPs directories or designed actual workflows? How is that? Developing integrations with MIM to all sorts of things that vaguely resemble a directory is part of my job description. I'm still very new to it, but have put one little thing in production at least. However it's only using the synchronization engine and developing extensions for that, not any other components.
|
|
#
¿
May 31, 2023 23:05
|
|
|
Day to day, it tends to be very maintenance free when the agents are well enough written and the source data are good quality. The difficulty depends a whole lot on what systems you're tasked to integrate with, how sensible their APIs are, and how well your requirements docs are written. Basically to integrate something with MIM, you need a management agent that can read and write the relevant objects in the system. You can either write those from scratch in C# (there's templates to start from), or use one of the generic MAs that offer frameworks to e.g. implement things in PowerShell or access data in an SQL database. The learning curve can be a bit tough, there's a ton of theory of how the sync engine works you need to have a good grasp of, and the total configuration ends up scattered across a lot of modules. It's absolutely a programming job. In general, if you have a remote system that has objects with attributes, and an API to create, read, update, list, and delete those objects, you can make MIM manage it. It technically doesn't have to be user accounts at all.
|
|
#
¿
Jun 1, 2023 07:14
|
|
|
Honestly, I'm not sure. I'm on a team with an experienced consultant who's been teaching me. Assuming you don't have that, my best suggestion is to look for courses and tutorials and try to build something. You can find various open sourced management agents and rules extensions projects to work off too, but a lot of it is also configuration outside just the code and DLLs.
|
|
#
¿
Jun 1, 2023 11:27
|
|
|
I don't know about Exchange Online, but in on-prem you can add (universal) groups to the Full Access and Send As permissions. The limitation when doing that, still on-prem, is that users don't get the mailbox added to the property on their AD object that tells Outlook to automatically open the mailbox.
|
|
#
¿
Aug 7, 2023 14:26
|
|
|
I guess the main catch with SPO/OneDrive for Business is that it works best with the Office suite and other software designed to work with it. Everything else needs to behave well in an environment where files are downloaded and uploaded and there might not be a proper locking mechanism.
|
|
#
¿
Aug 25, 2023 15:42
|
|
|
incoherent posted:Those excel and PPT files need to go to onedrive. Unless these are scientists that go off the grid with shares sharepoint resolves mutli-office file writes. (with the exception of access lol) If you for some reason do use Access databases, consider splitting them so all the tables are stored in an Azure SQL Server instance, and the MDB file only contains the forms and VBA code there might be. At least I think that is possible.
|
|
#
¿
Aug 26, 2023 09:53
|
|
|
Shared workstations scenario maybe? Support nightmare: "I set up my pin two hours ago and now it's not working!" "Is it the same computer?" "It says Dell on the screen, of course it's the same!"
|
|
#
¿
Oct 24, 2023 07:05
|
|
|
|
| # ¿ Apr 25, 2024 20:36 |
|
|
What's your goal with using the "hardware" RAID? You probably won't gain much that you couldn't do with Windows' own dynamic disks, or maybe using ReFS. (I don't remember, can you boot from either of those now?)
|
|
#
¿
Dec 24, 2023 00:07
|
|