AD Global Group and Authorization

Dec 3, 2009 at 7:18 PM

I have a AD global group that was created in an OU 2 levels deep. So here is the layout.

Global Groups --> Applications --> WC Policy Management

Under that is a Global Security Group called WC Policy Management - Administrator

When I go into the MMC and add that group to my Administrator role in my application. It acts like I am not a member of that group. If I add my user id directly to the AzMan role it works fine. Any ideas what I am doing wrong.

 

Thanks

Jon

Dec 3, 2009 at 9:23 PM

Hi Jon,

1) Is your AD Global Group a Security or Distribution group ?

2) Are you using the latest NetSqlAzMan version ?

3) Have you done a Check Access test using the MMC ? (right click on the Application node – Check Access test)

Let me know.

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Dec 3, 2009 at 9:32 PM

Hi Thanks for Responding,

It is a Security Group,

Yep just installed the new version to see if it fixed it.

Just did access Check, did not know I could do that, everything came back as NEUTRAL.  I noticed in the window it said this.

Groups: 25

And it listed 25 groups none of which were the group I put in the role.

Again thanks for helping.

Dec 3, 2009 at 10:07 PM

Jon,

Put this few lines in a console application to see your groups:

using System

using System.Security.Principal;

static void Main()

{

string upn = "youraccount@domain.ext";

//Kerberos Protocol Transition

WindowsIdentity wid = new WindowsIdentity(upn); //This works only on Windows Server 2003, 2008, Vista, Seven but not XP

foreach (SecurityIdentifier sid in wid.Groups)

{

  NTAccount group = (NTAccount)sid.Translate(typeof(NTAccount));

  Console.WriteLine(group.Value);

}

}

Please,  check if your AD Global Group is listed here.

If not there be something wrong in your group nesting.

Let me know.

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Dec 4, 2009 at 3:53 PM

I ran that is code this morning. It does show that I am in that group. I ran it on one of the servers. My machine is still XP.

Dec 7, 2009 at 7:41 PM

Ok.

Please send me a pvt msg (aferendeATNOSPAMhotmail.com) with the exported NetSqlAzMan  Storage (xml).

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com