Granting Temporary Access to Resources
Summary: In this post, we are going to discuss about Creating Temporary Dynamic objects and enable access for Contractors, Temporary Users, vendors etc.
We often receive message from security team to enable access applications or share folder etc… for couple of days to their vendors or temporarily aligned users. All the permissions are elevated hence security team review the permissions once the contractual period expired.
Maintaining this permission for Active Directory administrators quite harder, we can schedule the job to clean up temporary users, however this can be lead no of scheduled jobs in domain controllers or member servers.
To handle such situation, I have tried to use MS-Dynamic object, the object seems to be normal object from AD, but when its creates this will come along with TimeStamp once the TTL value end the object will disappeared automatically from AD and it won’t record his entry from Tombstone life time.
Scenario:
The Test Company have two branch office, where its located Chennai and Bangalore. The Bangalore users are traveled to Chennai and they would like to access Chennai accounts folder for 2 days.
The Chennai account folder have been granted access to “Chennai_Accounts” group.
We are proposing the below steps to grant the access for Bangalore users.
Create TEMP_Accounts Group in AD (dynamic groups cannot be created directly by using ADUC, instead we use ldifde.exe)
The ldifde format has been given below.
dn: cn=Temp_accounts,OU=Chennai_Users,OU=RootOU,DC=test,DC=local
changeType: add
objectClass: group
objectClass: dynamicObject
entryTTL: 1800 (The value must be in Seconds; this is test lab hence I have provided only 30mins life to expire group)
sAMAccountName: TEMP_Accounts
We imported Ldifde file into Active Directory and we see the dynamic object created successful.
The object created successfully as we expected and Group is counting his life to expire.
Now we are going to add TEMP_Accounts into Chennai_Accounts Groups for granting temporary permissions of Chennai Accounts folder.
Now Bangalore_Accounts group become member of Temp_Accounts, to get temporary access of Chennai account folder.
Now users who are all member of Temp Account group, they can access Chennai Account folder. Once the Temp group meet his life time, the group will disappear automatically from AD, and users will lose their access automatically.
Now object is become counting his time and it is about to expire in below time.
***End***
No comments:
Post a Comment