websafety icon indicating copy to clipboard operation
websafety copied to clipboard

Published 20 hours ago verified publisher icon diladele

UI / Safety / Policy / Member / AD - cannot find user with changed Primary Group

Open ra-at-diladele-com opened this issue 6 years ago • 1 comments

In Active Directory do the following.

  1. Create a new group, say Management.
  2. Create a new user, say user1
  3. Make this user a member of Management group.
  4. Open user properties in Windows's Users and Computers MMC snapin.
  5. Click on the Member Of tab.
  6. Select Management group and then click on "Set Primary Group"

Now to go UI / Safety / Policy / Members / AD Group and Add this group (Management). The group is found in the AD and should in the list of groups for this policy.

Click on "Search for User" button. Type the sAMAccountName (user1) or userPrincipalName ([email protected]) into the search box and click "Search".

The output will indicate the user is NOT found. If you open user's properties in AD - the Management group is present in the Member Of tab - thus the user is definitely a member of that group.

REASON: When searching for a user we ONLY take a look at memberOf attribute in LDAP by running the filter:

(&(|([email protected])(sAMAccountName=user1))(memberOf=CN=Management,OU=Groups,OU=Amstelveen,DC=example,DC=lan))

But as the Management group is set as Primary Group for user1 - it is NOT contained in the memberOf attribute in AD but it's id is instead contained in primaryGroupID property of that user. The problem here is that primaryGroupID cannot be easily found by looking at group's properties in LDAP. Because group id is a compound attribute and looks like

objectSid = S-1-111-222-333-1119

In this case the primaryGroupID of the user1 is actually stored as 1119 in LDAP. So we cannot use the LDAP filter to find it.

WORKAROUND:

  • do NOT change the primary group id of the users in AD. It is actually also shown on the User Properties tab - unless you have Mac or Unix clients

FIX:

  • when adding a group in LDAP to policies, lookup not ONLY DN of the group but also parse the group ID.
  • then when searching for a user look up his primaryGroupID property in the LDAP and compare it with group ID stored in configuration. ONLY if the normal group search fails!

ra-at-diladele-com avatar Apr 14 '18 11:04 ra-at-diladele-com

See a discussion at https://support.microsoft.com/en-us/help/297951/how-to-use-the-primarygroupid-attribute-to-find-the-primary-group-for

ra-at-diladele-com avatar Apr 14 '18 11:04 ra-at-diladele-com