Forum / Devolutions Password Server - Support

Active Directory Groups

  • Create an Issue
  • Cancel

Is there any documentation on how to utilize AD groups in Remote Desktop Manager Server? Utilizing AD groups is probably the main reason that my organization has been eagerly awaiting RDMS to be released. I tried adding AD groups as users, but when I logged in with my domain user, it didn't give me any of the permissions I set for the groups I added.

Clock8 yrs

We support now the Active Directory users for the authentication but the group are not supported yet. This on the server roadmap for version 1.1. There is a small chance that it could be in the first version too.

David Hervieux

signaturesignature

Clock8 yrs

By the way, we already have started to develop this feature. I'm just not sure if we will have the time to complete it.

David Hervieux

signaturesignature

Clock8 yrs

David,

I've been following each of the new beta versions as they have come out, and noticed in the last version that there was a new section added for "Roles", which searches Active Directory for groups. It doesn't look to be working quite yet, though. When I log in with my AD credentials (As an aside, integrated authentication doesn't seem to be available when using Remote Desktop Manager Server data sources. That would be a nice feature to continue to be able to use going forward), it seems to create a user for me in the users section, but it doesn't apply any of the permissions I specified for the role. I'm guessing that not all of the code is in place to make that feature work properly as of yet. If it works the way it looks like it should, this definitely looks like a very nice feature addition to your product.

As you can tell, I'm itching to utilize this feature. I just finished up a quick hack of a PHP script to create users in the SQL database without so much manual intervention. We're up to 20 separate data sources now, and creating new users on each of them can be surprisingly time consuming. I know it would be less work with fewer data sources, but different sets of users need varying degrees of permissions on different sets of machines (and pretty much everyone needs to be able to at least connect to most everything). So the simplest solution at this time is to create data sources for the different sets of machines.

Clock8 yrs

Hi,
What version of Remote Desktop Manager Server do you use? Have you configured correctly the machine name for the authentication? You need to enter the machine name and not the domain.

David Hervieux

signaturesignature

Clock8 yrs

I just upgraded to RDMS 1.0, actually. When you say that I need to correctly configure the machine name for authentication... Do you mean configure the machine account in the SQL Management Studio? Or do you mean that I need to change the settings for the "Authenticate with domain user" option to use the local machine name instead of my domain name?

Clock8 yrs

Here is what I've tried:
- Authenticate with domain user set to domain name
- Authenticate with domain user set to specific domain controller FQDN
- Authenticate with domain user set to local machine
- In data source configuration:
__- Authenticate as domain user without specifying domain (of AD domain)
__- Authenticate as domain user with specifying domain (of AD domain)
__- Authenticate as local user without specifying domain (of local machine name)
__ - Authenticate as local user with specifying domain (of local machine name)
- In Roles configuration:
__ - AD Groups with only users as members
__ - AD Groups with other groups as members
__ - Local groups with only AD users as members
__ - Local groups with only AD groups as members
__ - Local groups with only local users as members
__ - Local groups with only local groups as members

All of the above have been tried with SQL authentication for the database connection and with integrated authentication for the database. They have all also been tried with every combination possible of turning on/off the built-in user auth and local machine user auth in the RDMS instance configuration.

I'm guessing from your initial follow-up question that the group authentication piece is supposed to be working, and that I'm just failing to configure a small piece to make it work. Currently, the authentication does work, in a way. I can connect to the data source with a domain user that I didn't manually add. RDMS then creates a user for that authenticated person. The user that gets created just doesn't have any rights assigned, so I have to manually edit their permissions in order for the user to be useful.
<em>edited by abwalters on 3/21/2012</em>

Clock8 yrs

Hi,
From what I see, if the server create the user, it's because it's able to connect to the Active Directory. Have you assigned any rights to an Active Directory Group? All those rights are supposed to be inherited to the user when he logs in.

David Hervieux

signaturesignature

Clock8 yrs

I assigned administrator permissions to each of the various groups I tested with. Specifically, I assigned those permissions under the "Roles" section.

Clock8 yrs

Do you think that you could send me a print screen of a role? You can send it to infos@dev....

David Hervieux

signaturesignature

Clock8 yrs

I'm having the same issue, please do a follow up in this thread.

Clock8 yrs

Hi,
Could you try to install the version 1.0.0.1 of the RDMS and this version of RDM

http://remotedesktopmanager.com/download/Devolutions.RemoteDesktopManager.Bin.7.0.4.0.zip

Select the data source and send me a print screen of the File->My Data Source Information.

David Hervieux

signaturesignature

Clock8 yrs

I found a workaround for this particular issue. If you manually create your users (with the integrated security checkbox ticked), like you needed to do prior to AD group integration being implemented, your roles will assign permissions to your users.

Clock8 yrs

I will try to fix that for real. I think that RDM should authenticate the user with AD before trying with SQL Server.
<em>edited by dhervieux on 3/29/2012</em>

David Hervieux

signaturesignature

Clock8 yrs

Okay. I figured you were working on a more permanent fix. I mostly posted that for xrs and any others currently experiencing this particular problem. The workaround will at least allow the intended functionality, though with a bit of manual intervention needed. I actually meant to post it shortly after I sent the information to you via email, but forgot.

Clock8 yrs

I have reproduced the problem and fixed it.

This is now in the version 1.0.0.2

Regards

David Hervieux

signaturesignature

Clock8 yrs

David,

I can confirm that user creation does work now. Any users that are meant to be administrators are created properly (except that setting offline mode doesn't seem to be assignable via roles).

Users that are not a member of an administrator role aren't receiving any permissions, though. I sent you more information via email.

Clock8 yrs

I request this feature for RDM also.

RDM 10.5.2.0 Enterprise
RDMS 2.2.7.0

Clock8 yrs

Unfortunately for RDM with the SQL Server it's not possible to dynamically create the user because the database user must be a a SYS_DBA to create the user in the database. I will see what I can do.

David Hervieux

signaturesignature

Clock8 yrs

I have the RDMS instance configured to use SQL authentication, and the RDMS user holds the sysadmin role in SQL, so RDMS should be able to create users without a problem.

Clock8 yrs

Hi,
I was answering to @Steffen Hornung about the possibility to add this feature in RDM with a SQL Server data source. For the bug you reported, I'm working on it. Sorry about the confusion

David Hervieux

signaturesignature

Clock8 yrs

The confusion was on my part. I didn't really read his post to see that it was a feature request for RDM (not RDMS).

Clock8 yrs

It should already work, if add the a AD Groupe "employees" to the sql server as allowed users, so RDM/RDMS should only have to create the permissions to the Database of RDM(s). For this, the right as db_owner should be enough, or?

Clock8 yrs

@Xanacas

You're right that this could be possible but this will create a big problem. They will all be administrator of the database and they will all be able to delete, update any rows in the database by using SQL Management Studio.

David Hervieux

signaturesignature

Clock8 yrs

I think the problem you discribe exists with every sort of integrated security, or?

Clock8 yrs

Not really because you can use the Integrated Security without being a DB_OWNER

David Hervieux

signaturesignature

Clock8 yrs

we have the following configuration:
Security-.>Logon-> Employees - Serverrole: "public"
I'm the of the database "RDM". Our AD-Admin adds new employees to the groupe and i create the users through RDM.
So RDM shouldn't create the logon, but should create the database user. Where do you see a security problem?

Clock8 yrs

The problem is that only an Administrator have can update or insert into the table userinfo but I will see what I can do. Maybe I could add an option to allow this. Thank you

David Hervieux

signaturesignature

Clock8 yrs

The advantage of our solution ist, that the RDMS-SQL-User / RDM-Administrator don't need SQL-Server-Administrator-Rights, just db_owner. And the SQL-Server-Admin just need to add new employees the the group with general access to the server...

Clock8 yrs

Any news no the role assignment for non admins? We are running 1.0.0.5, but simple users don't get their role assignments from AD

Clock8 yrs