How should inheritance of permissions on AD behave?
Hi Forum members, I am not an AD expert in fact far from it. We have an in house software and we have used Active Directory to authenticate NT accounts to login to our application. In our application we can configure/setup AD groups in such a way that those
group members can get access to specific features and servers in our application. Please see my situation described below:-
I have the following config in place in my application:
LondonGroup (a user group, as present in AD) can manage HR Module of server LondonServer.
BirminghamGroup (as present in AD) can manage Finance Module of server BirminghamServer.
So when a user of AD group LondonGroup logs in to our application, he/she can manage the HR module on LondonServer. Similarly when an user of BirminghamGroup logs in, he/she can manage Finance module on BirminghamServer. That's all fine. The issue arises
when someone in AD makes BirminghamGroup a sub group of LondonGroup i.e. BirminghamGroup is a member of LondonGroup. When this is setup, when a user of AD group LondonGroup logs in to our application, he/she can manage the HR module on LondonServer -
which is still fine BUT when a user of BirminghamGroup logs in he/she can now access HR and Finance modules of both LondonServer and BirminghamServer!! This could be because we support inheritance feature of AD where a sub group should get all access permissions
from its parent group. But is this a problem? for e.g in our application we never set up BirminghamGroup to get access to HR module on LondonServer!
so my question is:
1) Is this expected behaviour from AD point of view? Is this because the Group setup on the AD is wrong (but there is nothing stopping users to do this)
2) Our application looks for the configured Groups and then traverses down the tree to locate the user and on the way additively gives access rights - is this a wrong implementation?
Sorry for the long story but any guidance will be highly appreciated.
1) Is this expected behaviour from AD point of view? Is this because the Group setup on the AD is wrong (but there is nothing stopping users to do this)
2) Our application looks for the configured Groups and then traverses down the tree to locate the user and on the way additively gives access rights - is this a wrong implementation?
Yes This is by design. There is nothing wrong in it. As Pierre mentioned it is called 'Group Nesting'.
I believe your application is following the concepts of 'Group Nesting' which is fine. It is behaving properly.
If you would like to not to have these sort of traversing in your application, you need to isolate the user accounts of being member in 'Nested Groups'.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?
Similar Messages
-
How should I setup my users and netork? Or fix Permissions
I've been running OS X Server 10.2.8 and all was fine but I'm having one heck of a time getting permissions to propigate. Anyway, we ran out of disk space and I just added an 80GB drive to the raid via Software Raid. I am copying everything back onto the raid now. The raid is seperate from the startup disk and set as a sharepoint as inherit permission from parent.
The problem I'm having is that when trying to set the permissions it doesn't propigate them properly. I don't want to click on 18,000 items to set the permission.
We are an art department with 10 users. There is an Archive folder that is read only, a user folder that each user can see the other users items but only write to their own folder, prepress folder for sending things to prepress, item development that is read only.
I'm trying to set everything in the Archive as read only and it only propigates the 1st level of folders only. No items or subfolders.
I am not using home directories or any net booting. Basically a share point with different folders inside it. Each folder is assigned a group. In the users folder there are 10 folders with different users (groups) assigned to them. The users set up as groups can read and write and everyone else is read only.
Access settings are typically:
Owner (Admin) Read Write
Group (User setup as a group) Read Write
Everyone Read Only
Some folders that I want to be read only are setup as:
Owner (Admin) Read Write
Group (Group such as Art Deparment or prepress) Read Only
Everyone Read Only
Does this setup look right for a small workgroup? Does anyone know how to propicate the permissions? The protical buttons are greyed out on any folder down from my sharepoint. The say Use standard POSIX behavior.
Someone help please. Thanks.Nevermind. There was a post over in the Terminal forum that mentioned the program BatChmode. That did the trick and fixed the permissions.
-
I recently purchased an external hard drive to back up my iMovies. When I try to open the movies on the backup I get a message "you may not have permission to modify that folder" How do I change permissions on the backup?
Hi
One Must NEVER move or alter any folders named
• iMovie Event's - or -
• iMovie Projects - or - alike
on DESKTOP/FINDER - Ever ! - ONLY Within the iMovie Program ! else all connections are broken and hard to impossibly to mend !
but rather do as described here under
Moving Event's and Project's
Connection - Either connect one Mac in Target mode to the other via FireWire. Or use an external hard disk !
(Target-Mode - Start one Mac e.g. laptop - BUT keep T-key down during full up-start - Now a FW-symbol is jumping around the screen and it will work as an external hard disk when connected to the other Mac)
A. The External Hard Disk - MUST BE - Mac OS Extended (hfs) formatted to work for Video. UNIX/DOS/FAT32/Mac OS Exchange works for most other things but not for Video whatever program is used (iMovie or FinalCut)
B. Should be a FireWire one as USB/USB2 performs badly to me and especially when filling up
C. Do never Move or Alter any folder named
• iMovie Event's - or -
• iMovie Project's
on DeskTop/Finder - as this will result in iMovie losing connections to them and repair can be anything from hard to impossibly
D. Moving and Copying must be done within iMovie application and Events to Events - and - Project's to Project's.
E. Moving Project's to Event's - Do not work for me - I have to export project as a QuickTime movie then Import this into Events.
Event's window can show two faces
Like this
or like this
from one hard disk Event - You can move it to the other hard disk
You can not (at least not me) move Event to Project or other way around only
Event to Event and Project to Project
Yours Bengt W -
Should I repair permissions before or after updating to Mac OS X 10.7.2?
Hi,
Should I repair permissions before or after updating to Mac OS X 10.7.2? or should I fix permissions before and after the update?This is not a routine maintenance. Upgrades can be screwed up if the system that is upgraded is screwed up. I believe in a "better safe than sorry" approach. If you repair permissions and the hard drive prior to an upgrade then if there be a problem perhaps that problem will not propagate to the new upgraded system. If there are no problems doing the repairs is harmless.
When it comes to the topic of permissions repairs there are many opinions but not much fact. In other words there doesn't appear to be a formal analysis of whether repairing permissions is only useful when a permissions problem arises. But there is a lot of anecdotal evidence suggesting that a repair both before and after a major system upgrade can reduce the risk of problems.
This is my opinion on the matter. I do not generally disagree with Niel or MacJack, but as I said I prefer to be safe rather than sorry.
Here's my general approach:
How to Install Lion Successfully - You must have Snow Leopard 10.6.7 or 10.6.8 Installed
A. Repair the Hard Drive and Permissions:
Boot from your Snow Leopard Installer disc. After the installer loads select your language and click on the Continue button. Then select Disk Utility from the Utilities. After DU loads select your hard drive entry (mfgr.'s ID and drive size) from the the left side list. In the DU status area you will see an entry for the S.M.A.R.T. status of the hard drive. If it does not say "Verified" then the hard drive is failing or failed. (SMART status is not reported on external Firewire or USB drives.) If the drive is "Verified" then select your OS X volume from the list on the left (sub-entry below the drive entry,) click on the First Aid tab, then click on the Repair Disk button. If DU reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported click on the Repair Permissions button. Wait until the operation completes, then quit DU and return to the installer. Now restart normally.
If DU reports errors it cannot fix, then you will need Disk Warrior (4.3.) if DW cannot fix the drive, then you will need to reformat the drive and reinstall Snow Leopard.
B. Make a Bootable Backup Using Restore Option of Disk Utility:
Open Disk Utility from the Utilities folder.
Select the destination volume from the left side list.
Click on the Restore tab in the DU main window.
Check the box labeled Erase destination.
Select the destination volume from the left side list and drag it to the Destination entry field.
Select the source volume from the left side list and drag it to the Source entry field.
Double-check you got it right, then click on the Restore button.
Destination means the backup volume. Source means the internal startup volume.
C. Important: Please read before installing:
If you have a FireWire hard drive connected, disconnect it before installing the update unless you will boot from this drive and install the update on it. Reconnect it and turn it back on after installation is complete and you've restarted.
You may experience unexpected results if you have installed third-party system software modifications, or if you have modified the operating system through other means. (This does not apply to normal application software installation.)
The installation process should not be interrupted. If a power outage or other interruption occurs during installation, use the standalone installer (see below) from Apple Downloads to update. While the installation is in progress do not use the computer.
D. To upgrade to Lion:
Purchase the Lion Installer from the Mac App Store. The download will start quickly. Lion is nearly 4 GBs so a fast internet connection is essential. Download time could run upwards of 4 hours depending upon network conditions and server demands at the time.
Boot From The Lion Installer which is located in your Applications folder.
Follow instructions for installation. -
How should I do a clean install?
I've been having problems since I got my Mini a few weeks ago, and I'm thinking that my use of Migration Assistant may have ported over some duff software.
If I do a clean install I hope to solve some of these issues.
Is there a recommended way to do this?
I plan to copy stuff onto an external disk first, but how should I 'wipe' the HD before starting the new install? Drag everything to the trash and empty it? Use Disk utility to write zero over everything?
Excuse the dumb questions but despite using Macs for years I've never had to do this before.
(Incidentally, the most annoying problems are very long logout times from user accounts and regularly experiencing frozen mouse when starting up from sleep.)First off, there is no such thing as a "clean install". Mac OS X offers these installation options:
http://discussions.apple.com/thread.jspa?messageID=607614
You can't just trash the files. You can use the installer's options button to erase and install, or you can use the installer's Disk Utility to erase the hard drive. The latter though requires an extra reboot.
An erase and install will eliminate all but potential hardware issues.
The the problems with logging out may simply be a permissions issue and require no erase and install. Secondly, Migration Assistant typically will only cause problems if you have insufficient disk space, or your Mac you are migrating from is different in the CPU manufacturer. I.e. you can't do an Intel/PowerPC migration, but you can do an Intel/Intel or PowerPC/PowerPC. If you tried an Intel/PowerPC migration, an erase and install will certainly clear issues that were caused by that, but I'd also make sure before erase and installing to have at least two backups in place*:
http://www.macmaps.com/backup.html
And try the migration this time using this article:
http://discussions.apple.com/thread.jspa?threadID=435350&tstart=30
- * Links to my pages may give me compensation. -
Hi, I have a macbook pro 10.6.8 and an iphone 4s. I have already created an icloud account. I want my normal mails to be saved on icloud. how should i go about?
I'm not sure I understand your question really, but one thing for sure is that you need Lion for iCloud to work.
-
I have few PDf files on my computer and I want to add them to my ipod touch, please tell me the procedure on how should I do that? Secondly I want to run these Pdf files through the ibook app, as it also have the Pdf file sections
You should be able to just place them in your Books library in iTunes and check to ensure that your Book library is configured to sync to your iPod when you sync your iPod to iTunes.
-
How should I set GPG to use with KMail or even rather Thunderbird?
In the last 3 hours I tried to set Thunderbird (Enigmail) and KMail to use my GPG key. I failed.
I made the keypairs with Kgpg, installed enigmail, restarted the Thunderbird, set everything, but TB didn't asked for password, only gave an error message that it can't use gpg in batch mode and the password is wrong:
gpg parancssor és kimenet:
/usr/bin/gpg
gpg: Probléma van az ügynökkel. Letiltom a használatát.
gpg: can't query passphrase in batch mode
gpg: Érvénytelen jelszó. Próbálja újra...
gpg: can't query passphrase in batch mode
gpg: Érvénytelen jelszó. Próbálja újra...
gpg: can't query passphrase in batch mode
gpg: skipped "<my e-mail>": rossz jelszó
gpg: [stdin]: sign+encrypt failed: rossz jelszó - its in Hungarian, it says: Problem with the agent. Disabling use. Wrong password. Try again.
I read a lot and all I found is that I have to disable the use of gpg-agent in Enigmail's settings, but it was alredy disabled, despite I got this message:
"Your system uses gpg-agent or a similar tool for passphrase handling (gpg-agent is mandatory if GnuPG v2.0 or later is used). Since caching of passphrases is handled by gpg-agent, the respective timeout settings in OpenPGP are disregarded. In order to change passphrase caching options, please configure your gpg-agent tool."
After many pages I gave up, it seems it cannot be solved.
So I tried KMail. But KMail didn't ask password, too. Google, searching. I found that I should install pinentry-qt. Well, pinentry is already installed and I have pinentry, pinentry-qt and pinentry-qt4, too. So I searched for another solution. Then I found that I should use gpg-agent (I used it already according to Thunderbird) and I have to write use-agent to .gnupg/gpg.conf. It was already there. Then I found that I have to make a file, .gnupg/gpg-agent.conf whit this content:
pinentry-program /usr/bin/pinentry-qt4
no-grab
default-cache-ttl 1800
So I made it. After this I add the eval "$(gpg-agent --daemon)" to my .xinitrc, as it was written in many posts. I logged out and in. Still no luck.
The gpg-agent in terminal says:
gpg-agent: gpg-agent running and available
I tried a test I found on forums: echo "test" | gpg -ase -r 0xDEADBEEF | gpg. It says:
1024-bit RSA key, ID CFF2728D, created 2011-05-17 (main key ID CD35B00C)
gpg: problem with the agent -disabling agent use.
Then it asks the passphrase. I type it in, but then a message appears that I didn't have any public key.
I tried to disable gpg-agent, but didn't helped. Thunderbird said:
"can't connect to `/tmp/gpg-y2XPqU/S.gpg-agent': Kapcsolat elutasítva
gpg: Nem tudok kapcsolódni "/tmp/gpg-y2XPqU/S.gpg-agent" objektumhoz: connect failed" - connection refused. Can't connect to /tmp... object.
KMail simply says bad passphrase.
So. How can I use GPG? What should I do, how should I start? Is it possible at all? I just wanted to sign and encrypt e-mails. It seemed very easy.
ps.: all the installed softwares are up to dated. And sorry about the mistakes in my English, if any!Hi Melfour-
Here is a Support article detailing how to work with your Firefox PDF preferences:
[[Opening PDF files within Firefox]]
Hope that helps. -
How should I reformat my external hard drive?
I have just purchased a new 21.5" iMac and I will be moving from PC to iMac. I currently have a 2.5TB external hard drive which I have connected to my PC laptop that I use to store and watch movies. My question is how should I format/partition my external hard drive so that I can use it with my new iMac? The external hard drive will solely be used with my new iMac (it won't be connected/used with my laptop again) and I am ok with losing the data on the external hard drive as I have backed up the data currently on it onto another hard drive. I have tried to research what format to use but I am a little confused as to which one is the best and I am looking for some advice.
Mac OS Extended (Journaled).
(73546) -
I want to use one apple id in my macbook and iPad but i don't want pics to get sync and show in both devices, how should i stop this ?
Turn off My PhotoStream in iCloud on both the iPad and the Mac. PhotoStream is what shares your photos (unless you are using iCloud Photo Library Beta, in which case, all photos uploaded are accessible from all devices signed onto the same Apple/iCloud ID).
Cheers,
GB -
I accidentally dropped my friend's macbook air that was in a book bag. The keyboard is working because I can see the light but the screen is black and it won't turn off. How should I fix this? Please Help ME!!
I tried to turn it off and it didn't work... and I held on to the shift key too and it still doesn't work..
Please help me..Accidental damage is not covered under Apple warranty. And it seems there is much accidental damage. Only a Genius Bar tech looking at it can tell how much it will cost to repair.
Cost to repair will be high, I suspect (though Genius Bar will confirm/deny.
There is no gentle way to say this sir/ma'am ... someone will need to pay for your friend's MBA repairs. -
due to the virus attack i had to format my windows laptop...now when i installed new itunes software i had to sync my ipod touch again but it says that if i do it then the data present on my ipod touch will be erased as it is syncd to some older library... how should i protect my ipod touch data?
With all you media (apps, music) in the iTunes library connect the iPod to the computer and make a backup. Do that by right clicking on the iPod under Devices in iTunes and select Back Up. Then restore the iPod from that backup.
Note the the iPod backup that iTunes makes does not included synced media like apps and music. -
I have a mac pro g4 when i load a cd or dvd there is no start up noise from drive and icon will not show on desktop or in itunes. How should i troubleshoot? pioneer 105 mirror door
PIONEER DVD-RW DVR-105:
Firmware Revision: A506
Interconnect: ATAPI
Burn Support: Yes (Apple Shipping Drive)
Cache: 2000 KB
Reads DVD: Yes
CD-Write: -R, -RW
DVD-Write: -R, -RW
Write Strategies: CD-TAO, CD-SAO, CD-Raw, DVD-DAO
Media: Insert media and refresh to show available burn speeds
yes its a power mac thanks its been a long month and Merry Christmas thanks for checking my question im hoping its a driver problem but not liking some other stuff looking like replace drive -
Importation ;I just started with lightroom 5,6 (french)-I 'd like to import with creation of a second copy apart of the catalog but impossible to activate this option.How should I do to activate this option?
Importation ;I just started with lightroom 5,6 (french)-I 'd like to import with creation of a second copy apart of the catalog but impossible to activate this option.How should I do to activate this option?
-
Bought a New Macbook Air and wanting to transfer only iTunes and iPhoto stuff to the new Macbook Air. How should I do this? Ive got and External HD acting as Time Machine but the Data on there is 143G worth and the New Macbook Air is a 128G HD. So i dont need all the extra Documents but want to keep them on the External HD which has been Partitioned.
Question is - How do I transfer the iTunes and iPhoto info into the New Macbook air and keep all its settings ect and also keep the Docs ect in the HD? Time Machine wont work as there is too much info for the New Macbook Air.
What should I do?In iTunes 11 uncheck the preferences setting in in the iTunes Preferences panel "Advanced > Copy Files to iTunes Media folder when adding to Library"
Maybe you are looking for
-
External HD won't work and cannot repair or erase? please help!!
Hello, I brought a 1 TB WD external hard drive and formatted it to use with both my mac and windows. At first it was working perfectly but after around 1-2 weeks it suddenly stopped. Now it doesn't show up on a mac or windows. I can see it on my disk
-
how to remove 1797 emails. stuck in inbox. but not showing anymore - and i have the same problem wit the sent. please help
-
I recently purchased a new iPad. I would like to delete my email addresses from my old iPad so I can give it to my grandson. How do I do that for just the old iPad?
-
System colors do not give correct RGB values
When using the IMAQ integer to color value function, I get correct RGB values for colors chosen via a color box control - except if the colors are selected from the "system colors". Is this supposed to happen? The RGB values for the system "White" i
-
Can I delete duplicate smart albums off iPhone 6?
Somehow I have duplicate albums of "Panoramas", "Videos" and "Slo-mo" videos on my iPhone 6. I can't find a way to delete the duplicates and just have one album of each. Can anyone help with this?