• State Not Answered
  • Replies 3 replies
  • Subscribers 62 subscribers
  • Views 726 views
  • Users 0 members are here
Options
Related

Domain Admin temporary access

jody gilbert
over 1 year ago

We are looking at using ActiveRoles to manage temporary access to sensitive groups such as Domain Admins, it appears this is simple enough to do but wanted to get some feedback before we lock ourselves out entirely!

The plan is we allow our admins to add themselves to groups such as Domain Admins, Quest Admins and Enterprise Admins.  We will have a policy in place that forces temporary access of one hour if they don't select anything.  There will be a limit of 8 hours (these times are being debated).

We decided to include the Quest Admins group as that's just as important as Domain Admins etc.

There will be a scheduled workflow that checks for members of Domains Admins and alerts for any unauthorised members, ideally the workflow would delete them, but we are a little scare of automating the deletion.  We already have similar alerts from Change Auditor as well.

Has anyone done this before, does is sound reasonable?

Is there anything else we should consider when it comes to locking down domain admin access?

Parents
  • 0 over 1 year ago

    I built a solution like this for a client where they wanted their admins to "borrow" elevated privilege group memberships.

    We added a custom page to AR's self service web site where a user could choose the groups they wanted to be a part of and they would be added to their account with an expiration time using the built-in temporal group membership feature.  The list of groups they were able to choose from was "filtered" by populating an attribute on the "in scope" groups.

    The custom page showed users the expiration date and time of their borrowed memberships.

Reply
  • 0 over 1 year ago

    I built a solution like this for a client where they wanted their admins to "borrow" elevated privilege group memberships.

    We added a custom page to AR's self service web site where a user could choose the groups they wanted to be a part of and they would be added to their account with an expiration time using the built-in temporal group membership feature.  The list of groups they were able to choose from was "filtered" by populating an attribute on the "in scope" groups.

    The custom page showed users the expiration date and time of their borrowed memberships.

Children
  • 0 over 1 year ago in reply to JohnnyQuest

    That sounds like just what we need, thanks!

    Do you know how we can check if a group member has temporary group membership enabled and how long for?

    I can get Get-QADGroupMember has a Control argument, but I cannot work out how to use it.

    I want to stop people from adding themselves for several days and I want to default membership to 1 hour (which I've found a solution for)

  • 0 over 1 year ago in reply to jody gilbert

    As usual, after posted the question, I found the details in the SDK.

    this is the code I've come up with, can't work out if there is a more efficient way of achieving this, would appreciate any feedback.

    function Grant-TemporalGroupMembership($Request) {
    $users = $workflow.SavedObjectProperties("AddedMembers").getEx("member")
    $groupDN = $Request.Get("distinguishedName")

    [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices") | Out-Null
    $adsiPath = "EDMS://$($groupDN)//EDS_SEARCHPREF_ATTRIBUTE_QUERY=member//ScheduledLink-GetStartEndTime=1"
    $rootDirectory = New-Object System.DirectoryServices.DirectoryEntry($adsiPath)
    $searcher = New-Object System.DirectoryServices.DirectorySearcher($rootDirectory)
    $searcher.Filter = "(objectClass=*)"
    $properties = @(
        "distinguishedName",
        "edsva-ScheduledLink-EndTime"
    )
    foreach ($p in $properties) {
        $searcher.PropertiesToLoad.Add($p) | Out-Null
    }
    $time = (Get-Date).AddHours(1).ToUniversalTime().ToString("dd MMM yyyy HH:mm")
    $control = @{
        "ScheduledOperation-SetTime" = $time
    }
    $members = $searcher.FindAll()

    foreach ($userDN in $users) {
        # only check admin accounts, leave service accounts etc
        if ($userDN -imatch ".*OU=Accounts,OU=Admin,DC=somewhere,DC=local") {
            $members | Where-Object { 
                (
                    $_.Properties["edsva-scheduledlink-endtime"] -gt (Get-Date).addhours(4) -or
                    $null -eq ($_.Properties["edsva-scheduledlink-endtime"]).Length
                ) -and 
                $_.Properties["distinguishedName"] -eq $userDN
            } | ForEach-Object {
                Remove-QADGroupMember -Identity $groupDN -Member $userDN -Control $control
            }
        }
    }
}