Question for time based group membership in FL 2016
Kees van Vloten
keesvanvloten at gmail.com
Thu Feb 1 21:16:35 UTC 2024
On 01-02-2024 21:38, Douglas Bagnall via samba-technical wrote:
> On 2/02/24 07:22, Stefan Kania via samba-technical wrote:
>> Hi to all,
>>
>> I already posted the question in the samba-mailinlist but I think
>> it's more a question for developers :-)
>>
>> I have a question about FL 2016 and if samba supports it. If yes, how
>> can I use it without powershell.
>>
>> In FL 2016 there is the possibility to put a user into a group and
>> the membership is time based. So I could put the user Foo into the
>> group 'domain admins' for 30 minutes and after 30 minutes the system
>> will remove user foo from the group.
>
> That sounds good. We don't do that, and we don't call it part of
> "functional level 2016".
>
> The things that count as "functional level" are listed here:
>
> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
>
>
> They are protocol level things -- supporting FL2016 means you can
> properly be a DC in an FL2016 domain.
>
> Temporary memberships is a useful trick that Windows Server 2016 can
> do, for which FL2016 is necessary, but not sufficient.
>
> That's my understanding, at least.
>
> Douglas
>
>
Still, if you know what this powershell call changes in the LDAP record
of the group, the user or elsewhere in LDAP, you can mimic this
functionality quite easily with a little cron script on the DC.
I have created a kind similar implementation called auto-lock, where
(admin-)users that member of the "autolock" group automatically get
disabled at midnight every day
(https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts#disable-special-users-daily)
And another piece of cron-scripting makes "password expired" LDAP
searchable (which is not the case with the computed attribute
"msDS-User-Account-Control-Computed"). With this applications like
Privacyidea can disallow MFA for users with an expired domain password.
It can't be hard to query some attribute and add or remove a user from a
group.
- Kees.
More information about the samba-technical
mailing list