Adaxes

selfService portal

0 votes

Hi!

I've just setup the selfservice portal to our users so that they themselfs can unlock the account if it gets locked. I have a couple of different policys in place and would like to enforce a stricter policy on the users that are local admins in their own computer .... I'm guessing that this information isnt availeble anywhere so I cant 'target' that automatically. Any ideas?

I'm thinking of making a AD group with users that are local admin on their own machine, but can that inturn be auto populated somehow ? Or can the selfservice portal automatically select a specific policy if the user is local admin (even if its a unlock scenario - perhaps some detection during enrollment?).

No SelfService client installed at this point.

by (650 points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Kaj,

Or can the selfservice portal automatically select a specific policy if the user is local admin (even if its a unlock scenario - perhaps some detection during enrollment?).

There is no such possibility.

I'm thinking of making a AD group with users that are local admin on their own machine, but can that inturn be auto populated somehow ?

Yes, this can be done using a Scheduled Task and a PowerShell script. The script will take members of the local administrators group, save there SIDs to a multi value text property of a computer and add the users to the required AD group. For the property that will store administrator SIDs, we recommend using one of Adaxes custom attributes (e.g. CustomAttributeTextMultiValue1). To create the Scheduled Task:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.

  3. On step 3 of Create Scheduled Task wizard select Computer Object type and click Next.

  4. Click Add Action.

  5. Select Run a program or Powershell script.

  6. Enter a short description and paste the script below into the Script field.

     $localGroupName = "Administrators" # TODO: modify me
 $groupDN = "CN=MyGroup,Ou=Groups,DC=Example,DC=com" # TODO: modify me
 $savedSidsAttributeName = "adm-CustomAttributeTextMultiValue1" # TODO: modify me

 function GetLocalGroupMember($computerName, $localGroupName, $domainSid, $localAdministratorsSids, $domainName)
 {
     if (!(Test-Connection -ComputerName $computerName -Count 1 -Quiet))
     {
         $Context.LogMessage("Connecting to a computer '$computerName' failed", "Warning")
         return $NULL
     }

     # Get group members
     $group = [ADSI]"WinNT://$computerName/$localGroupName"
     $members = @($group.Invoke("Members"))
     foreach ($member in $members)
     {
         $memberClass = $member.GetType().Invokemember("Class","GetProperty",$null,$member,$null)
         $memberSidBytes = $member.GetType().Invokemember("objectSID","GetProperty",$null,$member,$null)
         $memberSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($memberSidBytes, 0)

         if ($memberSid.AccountDomainSid.CompareTo($domainSid) -ne 0)
         {
             continue
         }

         if ($memberClass -eq "Group")
         {
             $reportRecords = GetDomainGroupMembers $memberSid $localAdministratorsSids $domainName
         }
         else
         {
             [void]$localAdministratorsSids.Add($memberSid)
         }
     }

     return ,$reportRecords
 }

 function GetDomainGroupMembers($groupSid, $localAdministratorsSids, $domainName)
 {
     # Get group members
     $group = $Context.BindToObject("Adaxes://<SID=$groupSid>")
     try
     {
         $memberGuidsBytes = $group.GetEx("adm-MembersGuid")
     }
     catch
     {
         return
     }

     # Build filter
     $filter = New-Object "System.Text.StringBuilder"
     $filter.Append("(&(sAMAccountType=805306368)(|") | Out-Null
     foreach ($guidBytes in $memberGuidsBytes)
     {
         $filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("objectGuid", $guidBytes)) | Out-Null
     }
     $filter.Append("))") | Out-Null

     # Search all users in domain group
     $searcher = $Context.BindToObject("Adaxes://$domainName/rootDSE")
     $searcher.SearchFilter = $filter.ToString()
     $searcher.PageSize = 500
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.SetPropertiesToLoad(@("objectSid"))

     try
     {
         $searchResultIterator = $searcher.ExecuteSearch()
         $searchResults = $searchResultIterator.FetchAll()

         $flatDomainName = $domainName.SubString(0,$domainName.IndexOf("."))
         foreach ($searchResult in $searchResults)
         {
             $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($searchResult.Properties["objectSid"].Value, 0)
             [void]$localAdministratorsSids.Add($sid)
         }
     }
     finally
     {
         $searchResultIterator.Dispose()
     }
 }

 function AddUsersToGroup ($groupDN, $sids)
 {
     foreach ($sid in $sids)
     {
         $group.Add("Adaxes://<SID=$sid>")
     }
 }

 # Get domain SID
 $domainName = $Context.GetObjectDomain("%distinguishedName%")
 $domain = $Context.BindToObject("Adaxes://$domainName")
 $domainSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($domain.Get("objectSID"), 0)

 # Get group members
 $localAdministratorsSids = New-Object "System.Collections.Generic.HashSet[Softerra.Adaxes.Adsi.Sid]"
 GetLocalGroupMember "%dNSHostName%" $localGroupName $domainSid $localAdministratorsSids $domainName

 # Get saved SIDs
 try
 {
     $savedSidsStrings = $Context.TargetObject.GetEx($savedSidsAttributeName)
 }
 catch
 {
     $savedSidsStrings = @()
 }

 $sidsToSave = New-Object System.Collections.ArrayList
 $group = $Context.BindToObjectByDN($groupDN)
 foreach ($sidString in $savedSidsStrings)
 {
     $sid = New-Object "Softerra.Adaxes.Adsi.Sid" $sidString
     if ($localAdministratorsSids.Remove($sid))
     {
         [void]$sidsToSave.Add($sid.Value)
         continue
     }

     # Remove user from group
     $group.Remove("Adaxes://<SID=$sid>")
 }

 # Add users to group
 foreach ($sid in $localAdministratorsSids)
 {
     $group.Add("Adaxes://<SID=$sid>")
     [void]$sidsToSave.Add($sid.Value)
 }
 $Context.TargetObject.Put($savedSidsAttributeName, $sidsToSave.ToArray())
 $Context.TargetObject.SetInfo()

  7. Click OK.

  8. Click Next and finish creating the Scheduled Task.

Related questions

0 votes
1 answer
User can't edit company in SelfService Portal

Hi, I searched trough the forum and the manuals but I didn't got it. How do I enable a default Domain User to edit its company information? I had setup a drop down ... 't selectable. If I logon with a domain admin account, it works. Thanks in advance Ingemar

asked May 31, 2013 by ijacob (960 points)
0 votes
1 answer
Selfservice group management does not show disabled account

When viewing a group under "My managed objects" I can't see members of a group that are disabled. Is there a way to enable seeing disabled users? In the Administrators web interface I can see all the users properly (enabled and disabled).

asked Apr 21, 2021 by atnorman (120 points)
0 votes
1 answer
I'm using IIS to reverse proxy to the adaxes selfservice web interface.

I'm trying to provide the capability for ID admin users to perform AD tasks using the web interface. I am not able to edit attributes for an existing user when ... any attribute it gives me an error "An unexpected response was received from the server".

asked Apr 8, 2021 by atnorman (120 points)
0 votes
0 answers
SelfService Join\Leave won't show groups.

I am working on the Self Service site and trying to get groups I want to show in the Join\Leave section. I have created a business unit with all the groups I want visible and ... to be working. The BU's I've give access to see Users and Contacts have worked.

asked Aug 26, 2020 by ComputerHabit (790 points)
0 votes
1 answer
short alias for long selfservice url

how might I create a short alias name, i.e. selfservice, in place of the long url needed to reach the different adaxes urls?

asked Feb 18, 2020 by rrtenaro (40 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users