Question for time based group membership in FL 2016

Rowland Penny rpenny at samba.org
Thu Feb 1 21:42:20 UTC 2024 

On Thu, 1 Feb 2024 22:16:35 +0100
Kees van Vloten via samba-technical <samba-technical at lists.samba.org>
wrote:

> 
> On 01-02-2024 21:38, Douglas Bagnall via samba-technical wrote:
> > On 2/02/24 07:22, Stefan Kania via samba-technical wrote:
> >> Hi to all,
> >>
> >> I already posted the question in the samba-mailinlist but I think 
> >> it's more a question for developers :-)
> >>
> >> I have a question about FL 2016 and if samba supports it. If yes,
> >> how can I use it without powershell.
> >>
> >> In FL 2016 there is the possibility to put a user into a group and 
> >> the membership is time based. So I could put the user Foo into the 
> >> group 'domain admins' for 30 minutes and after 30 minutes the
> >> system will remove user foo from the group.
> >
> > That sounds good. We don't do that, and we don't call it part of 
> > "functional level 2016".
> >
> > The things that count as "functional level" are listed here:
> >
> > https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels 
> >
> >
> > They are protocol level things -- supporting FL2016 means you can 
> > properly be a DC in an FL2016 domain.
> >
> > Temporary memberships is a useful trick that Windows Server 2016
> > can do, for which FL2016 is necessary, but not sufficient.
> >
> > That's my understanding, at least.
> >
> > Douglas
> >
> >
> Still, if you know what this powershell call changes in the LDAP
> record of the group, the user or elsewhere in LDAP, you can mimic
> this functionality quite easily with a little cron script on the DC.
> 
> I have created a kind similar implementation called auto-lock, where 
> (admin-)users that member of the "autolock" group automatically get 
> disabled at midnight every day 
> (https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts#disable-special-users-daily)
> 
> And another piece of cron-scripting makes "password expired" LDAP 
> searchable (which is not the case with the computed attribute 
> "msDS-User-Account-Control-Computed").

That attribute is searchable, it is one of the attributes you have to
explicitly ask for. 

> With this applications like 
> Privacyidea can disallow MFA for users with an expired domain
> password.
> 
> It can't be hard to query some attribute and add or remove a user
> from a group.
> 

Would that it was that easy, but as I said on the samba mailing list, I
am sure the timing is done in code, but I am sure that those wiser than
myself will know.

Rowland

More information about the samba-technical mailing list