Good morning all, I've deployed AR with an SQL back-end running on AGs, all works beautifully. I have a few issues with my lockdown process and for some reason I can't get the domains viewable in the webpage with the bare minimum of access, so the question is this: When I'm applying rights to the OU structure and I don't want all sub OUs to be accessible, I use a Deny All, this doesn't apply as I can still view the OU and inside the OU. What's the precedence of access templates? I can't find any documentation on this. How do I enforce enumeration so the OU isn't even viewable in the web interface? Thanks!

AR has a white listing model - you always start with NO access. I would avoid using Deny Access Templates unless absolutely necessary. Rather, grant rights only on the OUs where you want to give access and turn off the inheritance of the access (or at least limit it to "immediate children only"). 'Hope this helps.

Domain lockdown and Enumation

alexander green 1 month ago

Good morning all,

I've deployed AR with an SQL back-end running on AGs, all works beautifully. I have a few issues with my lockdown process and for some reason I can't get the domains viewable in the webpage with the bare minimum of access, so the question is this:

When I'm applying rights to the OU structure and I don't want all sub OUs to be accessible, I use a Deny All, this doesn't apply as I can still view the OU and inside the OU.
What's the precedence of access templates? I can't find any documentation on this.
How do I enforce enumeration so the OU isn't even viewable in the web interface?

Thanks!

Top Replies

JohnnyQuest 1 month ago +1 verified

AR has a white listing model - you always start with NO access.

I would avoid using Deny Access Templates unless absolutely necessary. Rather, grant rights only on the OUs where you want to give access and…

Parents

+1 JohnnyQuest 1 month ago

AR has a white listing model - you always start with NO access.

I would avoid using Deny Access Templates unless absolutely necessary. Rather, grant rights only on the OUs where you want to give access and turn off the inheritance of the access (or at least limit it to "immediate children only").

'Hope this helps.
Cancel
Up +1 Down

Reply

Reject Answer

Cancel
0 alexander green 1 month ago in reply to JohnnyQuest

Hey Johnny,

Yeah that's what I thought, When I set permissions on the domain and OU structures, I'm adding the "List Content" and "List" for Domain and OU objects, this still doesn't let me see inside the OU.

What I then did was allowed read access to the entire object structure, then I could populate the OUs without issue, but then so did the privileged OUs I wanted to omit so I did a deny.

So, I guess my new question is this, what is the absolute minimum I have to give a helpdesk user to list only the OUs I want, and at what level I need to set these permissions?

Thanks,

Alex
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 AJ Lindner 1 month ago in reply to alexander green

They need to be able to crawl through the domain and the OUs to get to where they need to. So you can apply the permissions at the domain level, but then disable inheritance for that policy link on the OU trees that they don't need to see. Alternatively, you can place all the relevant OUs into a Managed Unit, and grant access to just that Managed Unit, or place the relevant objects into Managed Units and do the same.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest 1 month ago in reply to AJ Lindner

Yep - good call on the Managed Unit suggestion. Especially if you want to be really granular about where you grant access. The MU will let you review that more easily too.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 JohnnyQuest 1 month ago in reply to AJ Lindner

Yep - good call on the Managed Unit suggestion. Especially if you want to be really granular about where you grant access. The MU will let you review that more easily too.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data