We want to add admin group as a owner to all other groups. When we tried to add via powershell command we got below error
'Group' is invalid for the 'owners' reference
It's not support to add a group as a owner to all other groups currently.
You could use Get-AzureADGroupMember to get a list of the group member and then foreach them to add all the members as owners of other groups.
An example:
$adgms = Get-AzureADGroupMember -ObjectId "{objectId of the admin group}" -All $true
foreach($adgm in $adgms){
Add-AzureADGroupOwner -ObjectId "{objectId of the target group}" -RefObjectId $adgm.ObjectId
}
Related
How do I create a hidden AAD group (number of users should be listed as 0) in a demo tenant?
I created a hidden group via
New-UnifiedGroup -DisplayName "group-name" HiddenGroupMembershipEnabled
but I still see all the members in the group. What am I missing?
To create hidden Azure AD Group, you can make use of below command:
New-AzureADMSGroup -DisplayName "Group_Name" -groupTypes "Unified" -Visibility "HiddenMembership" -SecurityEnabled $False -MailEnabled $True -MailNickname "mail_name"
Make sure to have AzureADPreview module installed before running the above command.
If you created Azure AD group with "HiddenMembership", the valid users who can see that group members are:
Group Owner.
Group Members.
Users who have admin roles.
Other than the above, if anyone tried to fetch the group members, they won't get any list of group members (same as 0 users).
I tried to reproduce the same in my environment and got the below results:
I created one Azure AD group with "HiddenMembership" and added few members using below script:
Connect-AzureAD
New-AzureADMSGroup -DisplayName "HiddenMem_Group" -Description "Hidden Members Group" -groupTypes "Unified" -Visibility "HiddenMembership" -SecurityEnabled $False -MailEnabled $True -MailNickname "hide_mem"
Add-AzureADGroupMember -ObjectId "GroupID" -RefObjectId "User_ObjectID"
Response:
Please note that, the user who created group will be Group Owner of that group by default like below:
As Testdemo is Group Owner, he can get the list of group members using command like below:
Get-AzureADGroupMember -ObjectId <Group_ObjectID>
Response:
When a normal user with no admin roles and not a member of that group runs the same command, he won't get any response (same as 0 users) like below:
Get-AzureADGroupMember -ObjectId <Group_ObjectID>
Response:
Reference:
New-AzureADMSGroup (AzureAD) | Microsoft Docs
Using DSQuery and DSGet to get user attributes that are needed to make accounts (not associated with their Windows account). The current command I've got is:
dsquery * -filter "(&(objectCategory=Person)(objectclass=User)(mail=first.last#email.com))" | dsget user -samid -fn -ln -office -email > user.txt
which gets me all the information I need except the domain the user is associated with. There's the attribute in AD called User logon name (pre-Windows 2000) (first box), but as far as I can tell DSGet doesn't return that. I know the DSQuery can get me the groups the user is in but I'm not sure if there's an easy (one-liner) that can get the info needed. Any guidance or help is appreciated.
There is no attribute User logon name (pre-Windows 2000) in Attribute Editor so there is another way we can get the user logon name using distinguish name (DN) and UPN(User logon Name)
please use the below command to get the DN
This is for user
dsquery * -filter "(&(objectCategory=Person)(objectclass=user)(mail=first.last#microsoft.com))" | dsget user "CN=RahulShaw,CN=Users,DC=microsoft,DC=com" -samid -fn -ln -office -email -DN -UPN > Ansuman.txt
This is under Domain Users
dsquery * -filter "(&(objectCategory=Group)(objectclass=group)(mail=first.last#microsoft.com))" | dsget group "CN=Domain Users,CN=Users,DC=microsoft,DC=com" -samid -DN > ipsita.txt
How is it possible to get the list of servers which are assigned to a group or nested group?
Example:
Group A is assigned to the server A.Group B is assigned to server B.
User1 and user2 is a member of Group12. Then group12 is added as a member of Group A and Group B.
Now I want to get the list of servers user1 and user2 has access.
I am able to retrieve the groups each user is member of. But still I do not know which servers are added to Group12 for example.
Expected Outcome
Some command -GroupID Group12
Output --> ServerA and Server2
Some command -UserName user1
Output --> ServerA and ServerB
From what I could understand from your query, you want to retrieve the members of groups in AD.
You can use the PowerShell cmdlet Get-ADGroupMember to query the members of a group, as shown below:
# you need to have RSAT (Remote Server Administration Tools) module installed
# on the system where you're going to run below cmdlets in PowerShell
Import-Module ActiveDirectory
Get-ADGroupMember -Identity "GroupA" -Recursive # to get members of Group A
Get-ADGroupMember -Identity "GroupB" -Recursive # to get members of Group B
Get-ADGroupMember -Identity "Group12" -Recursive # to get members of Group 12
I have Airflow successfully setup to work with my AD/LDAP when everyone is a superuser and data profiler. But now I want to define an admin group and a regular user group. I have the following settings,
Working Config Where Everyone Is An Admin:
# set a connection without encryption: uri = ldap://<your.ldap.server>:<port>
uri = ldap://123.456.789:123
user_filter = objectClass=*
# in case of Active Directory you would use: user_name_attr = sAMAccountName
user_name_attr = sAMAccountName
# group_member_attr should be set accordingly with *_filter
# eg :
# group_member_attr = groupMembership
# superuser_filter = groupMembership=CN=airflow-super-users...
group_member_attr = member
group_name_attr = CN
group_filter = objectclass=group
bind_user = CN=blah,OU=foo,DC=us,DC=bar,DC=com
bind_password = yahoo
basedn = DC=us,DC=bar,DC=com
# Set search_scope to one of them: BASE, LEVEL , SUBTREE
# Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit
search_scope = SUBTREE
New Config With Specific Admin Group Set:
# set a connection without encryption: uri = ldap://<your.ldap.server>:<port>
uri = ldap://123.456.789:123
user_filter = objectclass=*
# in case of Active Directory you would use: user_name_attr = sAMAccountName
user_name_attr = sAMAccountName
# group_member_attr should be set accordingly with *_filter
# eg :
# group_member_attr = groupMembership
# superuser_filter = groupMembership=CN=airflow-super-users...
superuser_filter = memberOf=CN=MyAdminGroupName,OU=foo,DC=us,DC=bar,DC=com
data_profiler_filter = memberOf=CN=MyAdminGroupName,OU=foo,DC=us,DC=bar,DC=com
group_member_attr = member
group_name_attr = CN
group_filter = objectclass=group
bind_user = CN=blah,OU=foo,DC=us,DC=bar,DC=com
bind_password = yahoo
basedn = DC=us,DC=bar,DC=com
# Set search_scope to one of them: BASE, LEVEL , SUBTREE
# Set search_scope to SUBTREE if using Active Directory, and not specifying an Organizational Unit
search_scope = SUBTREE
Resource: https://airflow.apache.org/security.html
With this new configuration I am able to log into the Airflow UI but I'm no longer able to view the Admin tab. I am 100% sure I am a part of the admin group MyAdminGroupName. I'm also not sure where to put my regular user group name MyRegularGroupName.
Can someone please guide me on how to configure my Admin group (MyAdminGroupName) and my regular user group (MyRegularGroupName)?
I also struggled with setting up LDAP in Airflow.
First of: What is group_filter = objectclass=group in your config? I cannot find it specified in the docs or in the ldap_auth.py.
Then, your group_member_attr is set to member, but in the filter queries you're using memberOf, so I guess that memberOf should be your group_member_attr (it usually is, if your using Active Directory).
Your superuser_filter and data_profiler_filter look good to me.
To whoever reads this: the filters are inserted into a string like this in the code: (&(<FILTER_HERE>)), so if you want to build a more sophisticated filter, take this into account.
E.g. I wanted to only give three users superuser rights (using environment variables for config):
AIRFLOW__LDAP__SUPERUSER_FILTER: "&(objectCategory=Person)(|(sAMAccountName=user1)(sAMAccountName=user2)(sAMAccountName=user3))(memberOf=CN=MyDepartment,OU=Departments,OU=UserGroup,DC=MyCompany,DC=local)"
Regarding your question about MyRegularUserGroup: I guess, you can specify the user filter to filter for persons in your regular user group and then specify the admin group for superuser and data profiler. But that would only work if the admin group is a subset of the regular user group.
Hope that helps.
I am trying to add a new attribute named sAMAccountName to an already existing LDAP schema definition which is read by IM-LDAP using UnboundID LDAP SDK.
I have added an attributeTypes entry and sAMAccountName to matchingRuleUse.
attributeTypes: ( 2.5.18.11 NAME 'sAMAccountName' DESC 'MS Sec Principal User' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ ... $ sAMAccountName ) )
For every previously existing attribute a call to com.unboundid.ldap.sdk.schema.Schema.getAttributeType("attrName") returns the attribute type. But not for my new attribute.
What am I missing?
Edited 10/11/18 after #jwilleke comment:
What I am trying to achieve is a mock using IM-LDAP for a very limited functionality of an Active Directory server.
In the actual AD production environment, there are entries representing users with objectClass: person, organizationalPerson,simulatedMicrosoftSecurityPrincipal.
In AD these entries contain sAMAccountName and memberof attributes.
But they are not there in the schema that comes with IM-LDAP.
The authentication Java code first performs a search on
(&(objectClass=user)(sAMAccountName=userAccountName)
Then if an entry in found, it checks whether a given security group name is present in the multivalued attribute memberof.
An entry exported from the production AD server looks like this :
dn: cn=Smith\,John,ou=User Accounts,dc=ACME,dc=CORE,dc=INT
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: simulatedMicrosoftSecurityPrincipal
cn: Smith,John
sn: JohnS
sAMAccountName: JohnS
userPassword: johnspasswd
memberof: ou=Service Accounts,dc=ACME,dc=CORE,dc=INT
The two new attributes are added to objectClass simulatedMicrosoftSecurityPrincipal in the schema by adding:
objectClasses: ( 2.5.6.24 NAME 'simulatedMicrosoftSecurityPrincipal' DESC 'MSSecurityPrincipal' SUP top AUXILIARY MUST sAMAccountName MAY memberof )
But when I try to import these entries into the LDAP mock I get an error telling me that sAMAccountName and memberof are not defined.
EDIT 2:
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
Wokrked for adding sAMAccountName, but still trying to figure out how to add memeberOf
Here is the complete .ldif file.
This is what finally worked for me
objectClasses: ( 1.2.840.113556.1.5.6 NAME 'microsoftSecurityPrincipal' DESC 'MS SecurityPrincipal' SUP top AUXILIARY MUST ( sAMAccountName $ memberOf ) )
attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )