we try to implement Remote Desktop Manager in another company branch and want to set user right as at default. We have a SQL Server Database with Active Directory security groups (e.g. "operations" or "management"), which has db_owner right at this database. Every other membership produced failures.
With this every new user, who connects to the RDM Database is Administrator and has full permissions. After that we are able to cancel some permission, but our main goal is to set the permissions/privileges right before a user connects and uses administrative privileges.
Is there any way to set the default permissions for all new users?
My second question is, when are active directory groups supported? I found some old threads from 2011 which asked the same question. Mostly the answer was "maybe at the next version". Will this feature be released any time soon?
The Active Directory integration to manage your users and roles is available with our server product, Devolutions Server
Although our various support queues will be monitored for emergencies, Devolutions' offices will be closed on June 24 and July 1st, 2019.
thank you for the answer to my second question. We will test the server version.
But is there a possibility to solve our problem with the Default User permissions with RDM Manager and SQl Server (scenario statet above)?.
In File - Options - Security, there's a User Reply section that is the template that is used for new users.
Just to reiterate, having everyone dbowner is a security risk because they can connect with any tool (not only SQL Mgmt studio, but even Excel) and play around in the database.
With SQL Server as a datasource, the only way to keep the database secure is to use Local SQL accounts for which the users themselves do not know the passwords to. You must distribute the rdd files individually.
AD integration and full isolation between the client application and the database is a feature of our Devolutions Server.
FYI, my solution for this is as follows:
I have two AD security groups, one for "standard" users (i.e. read-only aside from user-specific settings), and one for admins. For both groups, I first added the groups under Security > Logins in SQL, with the RDM database set as the login's default database, and only the public server role selected. I then added the groups under [databasename] > Security > Users, with db_datareader and db_datawriter role membership. The db_owner role is NOT required.
By default, RDM will automatically create a non-admin user in the database for any of the AD users in these groups that connects to the data source, if it doesn't already exist. Only AD users with dbowner permissions on the database (such as Domain Admins) will have the Administrator flag in RDM checked by default upon automatic account creation.
I also wrote a PowerShell script that runs via scheduled task that does the following:
1. Makes sure users exist in RDM for all AD accounts in either group.
2. Enables the Administrator flag on RDM users that match AD users who are members of the admin security group, and likewise removes the Administrator flag from users who are not in the admin group.
It's not exactly a straightforward solution, but it gets the job done. I also have a couple other scripts that fully manage the list of connections in the primary data source, and with non-admins able to set user-specific settings, very few people actually need admin rights within RDM.