Forum / Devolutions Password Server - Feature Request

Automatically check AD Group Memberships

  • Create an Issue
  • Cancel


This should happen automatically and immediately once there has been a change to anyones AD Group Membership (you could use their kerberos/NTLM/Windows Authentication to achieve that), and/or allow this to be specified by an admin in the DPS Console.

The reason for requesting this feature, is because;

* We offer RDM as a Microsoft RemoteApp, which is accessed through RDWeb. (RDM itself is running on multiple terminal servers)
* We use a PAM solution, and as such, our users activate their rights on a need-to-need basis, which effectively puts them in/out of a security group that has been given pre-defined rights to a repository.

Ideally; changes in a users’ AD Group memberships shouldn’t be cached at all, it should happen on-the-fly, and you can prevent reading the whole AD for changes to all users, by specifying that users have to be a part of a certain AD group to begin with, so that only users who are a part of that certain AD group, will have their group memberships refreshed on-the-fly.

Clock9 mths

We use to check the AD group automatically on logging but this was causing DPS huge performance issue. This is why we synchronize the AD group instead now. I will talk with the team and verify if we can find a better way.


David Hervieux


Clock9 mths

Hi David,

I understand that this could cause the user experience to be a bit sluggish, but there's a way around this, which would be to let administrators define a certain AD group where any members within this AD group will have all their AD Group Memberships updated without delay.

As otherwise, using RDM in environments that are using PAM/PIM solutions as a need for a better access control will suffer.

All the best.

Best regards,
Johnny Minde

Clock9 mths