Active Directory Group membership inheritance

active-directory

I'm pretty new in active Directory so please be comprehensive..
I'm trying to make some 'sets' of security groups in AD. So I make some groups and members of these groups are groups again..

So I have a MasterGroup with 2 subGroups members. My question is, if I add some users to the MasterGroup, they are also members of the subGroups?
The objective is to make a user member of a unique group to make some kind of "membership inheritance".

Maybe something more simple exists in active directory to make this kind of tricks. I'm open to propositions..

Best Answer

If you add some users to the MasterGroup they will not be automatically members of the subGroups. But if you add some users to one of the subGroups, these users will inheredit permissions from the MasterGroup as subGroups are part of the MasterGroup. Please note that the resulting permission will be a combination of MasterGroup permission, subGroup permission and user permissions too.

Related Solutions

Ldap – SquidGuard and Active Directory groups

Solved.

Assuming the following:

- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"

The query for checking if the user is member of that group would be:

(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))

So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}

Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:

src Internet_Users {
    ldapusersearch  ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Ldap – Restrict access to websites based on LDAP / Active Directory group membership

We do this with Barracuda Network's Web Filter, which can be integrated with Active Directory. You can also assign certain IP addresses specific permissions - it is easy enough to make sure the same computer always has the same IP address on your network via DHCP or plain old static configuration. We chose this because we liked the reporting it does, and we got a good deal.

There are plenty of competing web filter solutions, hardware, software, open source, and even cloud based Software as a Service solutions, that integrate with Active Directory - if they do that then they almost 100% do what you need.

Best Answer

Related Solutions

Ldap – SquidGuard and Active Directory groups

Ldap – Restrict access to websites based on LDAP / Active Directory group membership

Related Topic