Question for time based group membership in FL 2016
Rowland Penny
rpenny at samba.org
Thu Feb 1 21:42:20 UTC 2024
On Thu, 1 Feb 2024 22:16:35 +0100
Kees van Vloten via samba-technical <samba-technical at lists.samba.org>
wrote:
>
> On 01-02-2024 21:38, Douglas Bagnall via samba-technical wrote:
> > On 2/02/24 07:22, Stefan Kania via samba-technical wrote:
> >> Hi to all,
> >>
> >> I already posted the question in the samba-mailinlist but I think
> >> it's more a question for developers :-)
> >>
> >> I have a question about FL 2016 and if samba supports it. If yes,
> >> how can I use it without powershell.
> >>
> >> In FL 2016 there is the possibility to put a user into a group and
> >> the membership is time based. So I could put the user Foo into the
> >> group 'domain admins' for 30 minutes and after 30 minutes the
> >> system will remove user foo from the group.
> >
> > That sounds good. We don't do that, and we don't call it part of
> > "functional level 2016".
> >
> > The things that count as "functional level" are listed here:
> >
> > https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
> >
> >
> > They are protocol level things -- supporting FL2016 means you can
> > properly be a DC in an FL2016 domain.
> >
> > Temporary memberships is a useful trick that Windows Server 2016
> > can do, for which FL2016 is necessary, but not sufficient.
> >
> > That's my understanding, at least.
> >
> > Douglas
> >
> >
> Still, if you know what this powershell call changes in the LDAP
> record of the group, the user or elsewhere in LDAP, you can mimic
> this functionality quite easily with a little cron script on the DC.
>
> I have created a kind similar implementation called auto-lock, where
> (admin-)users that member of the "autolock" group automatically get
> disabled at midnight every day
> (https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts#disable-special-users-daily)
>
> And another piece of cron-scripting makes "password expired" LDAP
> searchable (which is not the case with the computed attribute
> "msDS-User-Account-Control-Computed").
That attribute is searchable, it is one of the attributes you have to
explicitly ask for.
> With this applications like
> Privacyidea can disallow MFA for users with an expired domain
> password.
>
> It can't be hard to query some attribute and add or remove a user
> from a group.
>
Would that it was that easy, but as I said on the samba mailing list, I
am sure the timing is done in code, but I am sure that those wiser than
myself will know.
Rowland
More information about the samba-technical
mailing list