• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 2188 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trigger Alert/Warning message when accounts are added to AD Groups in specific OU

sundas7
over 5 years ago

Dear Experts,

I am new to QARS( Quest One Active Roles),I would like to know if there is a way to trigger pop up/warning message when normal user accounts are added to Restricted AD groups in specific OUs. We need to be allowing only highly privileged accounts( identified by some prefix XYZ) to be added to those groups,Sometimes we end up adding normal accounts( without prefix MPW) and we need to alert the admins while adding it.

It would be of great help

Thanks

sundas7

Parents
  • 0 over 5 years ago

    There are a couple of ways to approach this (and you can use all if you want):

    You could establish a group membership policy (using the built-in group membership autoprovisioning) that prevents accounts from being added to the restricted groups.  A simple example of such a policy would say that if a user has the word "Admin" in their title, that they must not be a member of Group A, Group B and Group C.  Implemented this way, you would see a message appear in a red bar atop the web interface if someone attempted an "illegal" group membership change like this.

    Another approach that would provide a different kind of notification (via e-mail) would be an "change workflow".  In the start conditions of the workflow, you could tell the workflow to watch for changes to groups in your "Restricted Groups" OU or a list of groups.  When triggered, the workflow could send a notification that an illegal change has been made AND remove the user from the group they should not be in.

    Of course, the best place to start all of this would be to restrict who can add users to your sensitive groups in the first place by placing them in a specific OU and then delegating membership changes only to a small subset of delegated admins.  You could also also add an e-mail approval step for each group membership change - also initiated by a change workflow that watches for changes to the sensitive groups.

    Hope this helps.

  • 0 over 5 years ago in reply to JohnnyQuest

    Thank you Johnny for taking your time and for responding.. I am gonna try using  my local instance before I try this in our work

    Regards

    Shyam

Reply Children
No Data