DRAFT
Overview
PFA will allow customers to update permisssions on Active Directory object by setting the correct values on specific attributes. Initial implementation is focused on Organizational Units.
Parameters
- Define <action-attribute> for query
- utexasEduAustinBool1
- Value must be true to grant permissions
- Define <permission-attribute> for query
- utexasEduAustinSingle11
- Value must be one of the existing Delegation values
- Define <targets-attribute> for query
- utexasEduAustinMulti11
- Values must be DN of a group object
- Define <reports-attribute> for results
- utexasEduAustinMulti12
- Define <object-class> for query
- organizationalUnit
- Define <container> as search base for query
- OU=Departments,<domainDnsRoot>
Pseudo-code
- Query for <object-class> in <container> where:
- <action-attribute> is true
- <permission-attribute> has a value
- <targets-attribute> has a value
- For each object found in previous step...
- Grant <permission-attribute> delegation on object to each principal in <targets-attribute>
- Update <reports-attribute> with "<timestamp>;<add/remove>;<delegation>;<DNs>"
- Clear <action-attribute>, <permission-attribute>, <targets-attribute>
- Create scheduled task on ADFS servers to perform query every hour
- Run as dedicated GMSA
- All permissions actions taken by known account
- Password of account managed by domain
- Leverage HostCheck
- Avoid duplication of work
- Run as dedicated GMSA
Expansion options
- Set <action-attribute> to false to remove a delegation
- Allow <permission-attribute> to be SDDL
- SDDL must be checked for prohibited permissions
- Add Reset as a delegation to reset permissions on an OU
- Ensure that <DEPT>-Permissions are restored after a reset on a department root.