Disable Nested Groups in the Web User Interface

Question

Adaxes Support,

Is there a way to disable the Nested Group function of Active Directory in Adaxes. We are using some nested groups in rare cases but our corporate standard is to not use nested groups due to the security ramifacations and the complexity of deep nested groups. I have tried to deny rights to the memberof attrubute in the permissions that are applied to Owner (Managed By ) Trustee assigned over the OU that all our groups are in but this attempt did not work. How can we accomplish turning off or blocking users that manage groups to only added members and not nest groups.

Rodney

Answer 1

Hello Rodney,

There are two ways how you can implement your task.

1. Disallow adding groups to other groups with the help of a Business Rule

You can disallow adding groups to other groups on Adaxes service level, that is, nobody will be able to add groups to other groups in Adaxes. For this purpose you can create a Business Rule executed before adding a member to a Group. When the Business Rule is triggered, it will launch a PowerShell script that will cancel adding member to a group if the new member is another group. If you want to implement this solution, we can help you with the script.

2. Configure Adaxes Web interface

Alternatively, you can configure Adaxes Web interface so that it will not allow adding groups to other groups.

For this purpose, first of all, you need to configure the form that is used for viewing groups and disallow adding/removing group members in the Members section. After doing this, adding/removing members will be possible only in the Member Of section of AD objects or with the help of Home Page Actions. So, to add a user to a group, for example, you will need to locate the necessary user and add him/her to the necessary group in the user's Member Of section. Additionally, you can configure a Home Page Action that will allow to add members to groups and configure the action in such a way that it doesn't allow adding groups to other groups. To implement such a solution:

1. Launch the Web Interface Configuration tool.
2. In the Interface type drop-down list, select the Web Interface you want to configure.
3. Activate the AD Management tab.
4. Click Customize Forms and Views.
   
5. In the dialog box that appears, select the Group object type and activate the View tab.
6. Select the Members section.
7. In the Section Parameters section, deselect the Allow adding/removing members option.
   
8. Click OK.
9. For information on how to create a Home Page Action that allows adding members to groups, see Add to Group in Configure Home Page Actions. In Step 3 you will find information on how to allow adding only objects of specific types.

By the way, in our next version that will be available at the end of September it will be possible to specify, which type of objects will be displayed in the Members and Member Of sections and can be added/removed in these sections.

Comments

I think option 1 will work for us, can you provide the powershell script that can block nested groups?

Thanks,

Rodney

---

Hello Rodney,

Yes, sure, here you are:

$member = $Context.BindToObjectByDN("%member%")

if ($member.Class -ieq "group")
{
    $Context.Cancel("You cannot add groups to other groups!") # TODO: modify me
}

To create a Business Rule that does not allow adding groups to other groups:

1. Create a new Business Rule.
2. On the 2nd step of the Create Business Rule wizard, select Group and Before Adding a member to a Group.
   
3. On the 3rd step, add the Run a program or PowerShell script action and paste the above script in the Script field.