Written an app that grabs info of a specific computer using WMI remotely. Currently, I have to auth on each computer using one of the machine's local accounts. What I would like and what I'm trying to do is to be able to auth using a domain account (one of the accounts on the AD domain controller machine).
Right now, I can auth to domain machines only with local accounts with the exception of the domain controller. I can log on the AD DC using domain accounts by using NTLM protocol. The piece that isn't working is thus logging on to domain machines other than the DC using domain accounts.
Is this a code-issue or is it an AD setting issue, like I need to instruct the domain machines to always check with the DC when a user auths or something?
I'm using System.Managemnt.ManagementScope class in C# to handle all this curerently. Any help would be much appreciated.
I'm quite the newbie when it comes to AD and domains.
EDIT: Solved it.
The Active Directory account in use needs to be given the permission called "Trusted for Delegation" in order to work on computers other than Domain Controllers. This right is extremely powerful, effectively allowing your account to present itself as any other account on the domain.
The alternative is to pass explicit permissions to the process. Bear in mind, though, that when connecting to another computer via WMI, the process created on the remote computer will not be able to authenticate to other computers on the domain; this is considered 3rd party delegation. There is a workaround to this limitation created by Frank White (on SO).
Related
I'm trying to set up a Service Account that can access the GMail API, but for security purposes I want it limited to only a single mailbox (I don't want the development team to have full access to all mailboxes in the organization.)
My understanding of how Google handles service accounts and permissions is limited. I can't seem to find specific details about how this would be set up. I have set up a service account with client ID and secret. And I have associated that with an API client that has the GMail read-only scope. But how does that get associated with a specific mailbox? I do see a setting that allows "domain wide delegation", which seems concerning.
Maybe I'm just not understanding this correctly, but does that mean this service account can now read the contents of all mailboxes in the GSuite account?
How do I make sure this service account is limited to the one mailbox I want it to access?
I think you are talking about user impersonation using the service account. I am afraid that it is not possible to limit the access that the service account can have. The only possible limitations is related to the creations of credentials on the project and things like that, but if a service account has domain wide delegation to do user impersonation, then it is not possible to set up limitations to it.
You can find more info about the possible limitations here https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts
Problem statement
I need to make finding all the available active directory groups and their relationships in a tree and forest structure for each an every enterprise application held on an AD Domain Server easy to identify and understand by business user and technical users via an Existing IT Service Request web based application.
What I am hoping to achieve as an outcome is:
Knowledge of an API that I can connect to extract this metadata from and synchronise with the IT Service Request Application
Knowledge of what metadata AD Domain Servers are capable of providing
Knowledge of how to connect and synchronise the meta data from the IT Service Request Web based Application without compromising security
You didn't say which language you want to use. I will assume you will use one of the .NET languages, since that is by far the easiest to interact with AD.
To read the Active Directory Schema, you can use ActiveDirectorySchema.GetCurrentSchema(). That will return a ActiveDirectorySchema object that you can use to read much of the information you would want to know. There are example for how to use it here.
For your 3rd point: to read this data you have to be authenticated as a user of that domain (or a trusted domain). Authentication is already built in. When you use ActiveDirectorySchema.GetCurrentSchema(), for example, it uses the credentials of the current user to authenticate.
I'm struggling with my MVC5 webapp that is hosted on Azure. I need to secure it (of course) but I don't want to let the users create yet another account, with another password they can forget.
So I've looked into Azure Access Control (ACS). It looks nice, but the Identity Providers provided are very limited. I'm missing LinkedIn as an IP for example. Therefore a lot of users will have to create a new account with a company emailaddress. Facebook user typically use their private emailaddress.
So Azure Active Directory looks fine. You can federate with a local Active Directory. But after diving into it, it seems that you cannot create a tenant from you code. So the user must first do thing in the Azure portal, and that is confusing and I want to make things as easy as possible.
What do I need:
authentications of users without storing their password myself
creation of new users by code
be able to federate to a customer's Active Directory (on premise or Azure Active Directory)
user must be able to use whatever emailaddress they're using
Do you have good suggestions to accomplish this?
You can manage users in AAD using the Graph API.
Using DirSync or AADSync, you can propagate your on-premise users to AAD.
User will have to logon on-premise and again in the cloud but using the same credentials. (Same Sign On).
Adding ADFS to the mix gives you SSO. (Single Sign On).
Typically, only the corporate domain can be used for email address.
For other applications, look at: Azure Active Directory applications.
I was wondering if it was possible to still allow web applications to authenticate (ASP.Net authentication with windows forms pointing to AD) while disabling the account from logging into the physical on campus terminal computers.
Thank you.
-Devin
I'd suggest futzing with the userWorkstations attribute. Set their account to some non-existant or benign workstation. I haven't tested this myself, so you might find you need to specify some IIS servers (or else the account will be locked out of that as well).
Hope this helps.
http://blogs.technet.com/b/heyscriptingguy/archive/2006/02/17/how-can-i-specify-the-computers-a-user-can-use-to-log-on-to-the-domain.aspx
I am having two AD server and each having 1 domain(1 dc) in 1 forest. There is a 2-way Forest-wide trust created between the domains, but users of one domain cannot remotely login to another. But when I am creating a share without giving any access control, users of both the domains can access the share confirming that the trust is created.
Can users remotely login from one domain to another domain? If so, how?
I am very new to these concepts, any help is highly appreciated.
"Remotely login"? You meen with terminal services (RDP)? They need permission to log in via remote desktop.
What errors are they getting, and where are they getting them?