• State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 62 subscribers
  • Views 15173 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access template permissions after group add/removal

michael.otis
over 7 years ago

We're working on implementing ARS 7.0 (clean install) after having 6.9 for quite awhile. We've kind of hit a snag with our elevated permissions.

 

We have workstation support that uses temporal membership to "elevate" themselves into a group that gives them permissions to read LAPS/Bitlocker Keys, etc. I can either elevate or put myself into that elevated group that has an access template assigned to it to allow the users to perform these tasks but the permissions never get applied.

The only way for the permissions to be applied are to restart the ARS Administration Service, after doing that, I am able to read the LAPS/Bitlocker Keys, etc.

This worked flawlessly in 6.9, maybe sometimes it took a minute or two for the permissions to apply but that's it.

 

Any ideas?

Parents
  • 0 over 7 years ago
    No, the process has nothing to do with Windows.

    We have access templates assigned to certain groups that allow the users to read or write certain information in AD through ARS.

    In 6.9, a user could temporarily (temporal membership) elevate themselves into one of these privileged groups and they would instantly be able to read/write AD attributes because of the access template being applied.

    That no longer works in 7.0.3, if a user is put into a group that has an access template applied to that group, the permissions from the access template are not applied, not even if the user logs out and back in. The permissions only apply if the ARS Administration Service is restarted.

    So for example:

    A group called Workstation Support has an access template applied to it for a certain OU that allows users of that group to read LAPS and bitlocker recovery keys from computer objects.

    To begin, I'm not apart of the group Workstation Support but I get added to that group through temporal membership or manual addition.

    In 6.9, I would instantly be able to read those values through ARS.

    In 7.0.3, I am not.
Reply
  • 0 over 7 years ago
    No, the process has nothing to do with Windows.

    We have access templates assigned to certain groups that allow the users to read or write certain information in AD through ARS.

    In 6.9, a user could temporarily (temporal membership) elevate themselves into one of these privileged groups and they would instantly be able to read/write AD attributes because of the access template being applied.

    That no longer works in 7.0.3, if a user is put into a group that has an access template applied to that group, the permissions from the access template are not applied, not even if the user logs out and back in. The permissions only apply if the ARS Administration Service is restarted.

    So for example:

    A group called Workstation Support has an access template applied to it for a certain OU that allows users of that group to read LAPS and bitlocker recovery keys from computer objects.

    To begin, I'm not apart of the group Workstation Support but I get added to that group through temporal membership or manual addition.

    In 6.9, I would instantly be able to read those values through ARS.

    In 7.0.3, I am not.
Children
No Data