Specifically I'm trying to implement a block removable storage policy.
Let's say I have 100 computers named PC1-PC100. PC1-PC10 need to allow removable storage no matter whom logs in. Additionally, a couple user accounts need access to removable storage no matter what computer they log into.
I have tried this by creating a security group, adding the computers list to it, creating a policy that targets Authenticated Users which blocks removable storage at the user level, and then added delegations for the whitelisted computer security group and the 2 user accounts, with a Deny for Apply Group Policy. The delegations worked for the 2 user accounts, but removable storage did not work on the computers in the security group unless the 2 mentioned accounts were logged in.
Can someone kindly point me in the right direction? Thanks!
Related
What is the best option to implement such security in Casbin?
I have several folders, each of them has its own security (i.e. the users allowed to accede it)
But that's not enough, the action a user is allowed to performed in a folder depends on user's group
As an example:
alice can be admin for folder1 so she can read and write within it
alice can be user for folder2 so she can only read
I was thinking of using 1 group per role (user, admin) and 1 group per folder, however this is not fine because once a user is assigned a role, he cannot change
I looked at RBAC with domains and this can work until I duplicate all my policies for each folder (yeah, all users will always have the same rights in folder...) because domain must be part of the policy itself
Do you have any suggestion on how to achieve this?
Thanks
I am trying to unlock several accounts in Active Directory through PowerShell, but I can't figure it out how to link every condition into the query
The conditions are:
-The account should be enabled
-It shouldn't be "memberof" some groups (whose I'm not able to unlock, like Administrators)
I don't have full control over accounts, I'm not able to unlock some of them, due to my privileges, so I'll be very helpful if can you help me to know or simple discard the accounts that I'm not able to unlock
I've just tried this
Search-ADAccount -LockedOut | Unlock-ADAccount
(Very poor attempt, i know, I'm very new on this technology)
But gives me an error because of my account's privileges
It says: access rights are insufficient to perform the action.
The error is the same for different CN accounts
But gives me errors because of my account's privileges
That 's' in "errors" is key. If you're getting more than one error, that means that errors don't stop it from continuing on to the next account. That is, actually, how PowerShell works by default.
So what you are doing is already working the way you want it to: it is unlocking all the accounts that you have access to.
Of course, this is just a band-aid on the real problem. It won't eliminate calls for the problem accounts, and it undermines the added security you get by locking accounts in the first place.
I'm able to unlock some accounts, but when I run the command
Unlock-ADAccount, I think it try to unlock accounts like
administrator, some disabled acc, for which I don't have permission to
modify, but if I run that command on an individual "regular" account,
it gets unlocked
This due to the blocking of inheritance of permissions applied to domain Admins accounts & due to Security Descriptor propagator (SDPROP)....
It's not recommended, as it's a critical mechanism in my opinion, but you might :
create a specific delegation for a group
and append this group to the Access Control Entry (ACE) of this kind of template folder for admin permissions: 'CN=AdminSDHolder,CN=System,DC=example,DC=com' (with the help of LDP.exe)
I've been working on a project that allows users in our domain to edit 3 Active Directory Attributes on their own Object, this has been written in Python and the only issue I have now is user permissions on these attributes.
Two of these are custom, the third is the Location(physicalOfficeDeliveryAddress).
I have looked everywhere and only found documentation on how to give permission for users in a group for these attributes but for ALL users or limited by group.
I'm looking to apply the permission under the Identity Reference: NT AUTHORITY\SELF so that users may only edit their own attributes.
In less words, I'm looking to write a script that will delegate permissions for three specific attributes to ALL users in the domain but only for themselves(NT AUTH\SELF).
I have a loop that will perform it for each user, I just have hit a brick wall in what to include in the loop..
Any help would be appreciated.
NT AUTHORITY\SELF is one of Windows' well-known SIDs, with a SID of S-1-5-10.
So you do it the same way you would for any other account, but grant the permissions to S-1-5-10 instead.
If you show us the code you're working with, we might be able to help you with where to plug in that value, if you need.
I have a Windows Server 2012 R2 on which a policy needs to be set. This policy should logoff a user if it is disconnected or idle for more than 2 hrs.
One twist is, I have a user with name 'Invo' which should not get kicked out due to this policy.
Depending on your setup, I take it that the user is part of the OU the other users that you want to apply this GPO to. Other thing you could look at is using security filtering to only apply the GPO to a certain group or people, but this also would depend on the amount of users you have.
In Google Apps, there is always a base/primary organization. But Google Apps can have subdomains and suborganizations both (or combination of those).
We want to be able to identify the currently logged-in user as being part of the overall organization, whether it be the primary org/domain or some subdomain or suborg. But when you get user info or license info, it returns the home domain of the currently logged in user as the ID for their organization. No ID is consistent across all subdomains or suborgs.
I've also tried listing all orgs using the organization apis, but that doesn't seem to work when trying to get the org info of the root org: https://developers.google.com/admin-sdk/directory/v1/guides/manage-org-units
Is there a way, given a particular Google Apps user, to determine what the primary organization is?
The only alternative we have is to treat every domain/subdomain in the Google Apps org as it's own independent org. This is less than ideal because now a Google Apps admin who manages all of their sub-orgs/subdomains in one place in Google will now have to manage a separate organization in our app for each domain in their overall org. This uses up extra resources in our system for creating these additional orgs, but more importantly creates a very confusing organization/user management model.
When you look at the Users resource for the two users, compare the customerId attribute. If they match, the two users are in the same Google Apps account. If they don't they're not.
Also, don't assume two logged in users are in the same Apps account. One could be an Apps account and one could be a consumer account even though they have the same SMTP domain.