[WAC Settings/Access] - AD group with space

[PeterRoots]

Gateway Version 2103.2 Build number 1.3.2105.24004 To Reproduce Steps to reproduce the behavior:

1. Go to Settings
2. Click on Access
3. Under Allowed Groups click on +
4. Try to enter an AD like ourDomain\Domain Admins
5. Error Only the formats (domain\group name) for domain groups or (group name) for local groups are allowed

Expected behavior You should be able to enter an AD group with a space in the name, in fact I have been able to in the past but I can no longer do this.

[cmkb03]

Does it work if you enclose the group in quotes?

[PeterRoots]

hard to say as it is no longer possible to add AD groups of any kind

https://github.com/MicrosoftDocs/Windows-Admin-Center-Ideas-and-Feedback/issues/70 and https://github.com/MicrosoftDocs/Windows-Admin-Center-Ideas-and-Feedback/issues/69

[PeterRoots]

well an update has given us back the ability to control access with domain groups but not fixed the issue of domain groups with spaces in the name. Quoting them does not work. (single or double quotes). Considering many of the Windows builtin groups have spaces and domain admins is a pretty widely used group this is a fairly significant issue

[Louisjreeves]

I tested this all weekend. I found that the first time a created a group called wacgatewayadmin. it showed as a WAC gateway administrator for some time and then reverted to a user group!

I verified in the Har file, the group said gateway administrator but was not functioning as a gateway administrator! it was showing under users!

I finally did get a second group to also be a gateway administrator and the har looks encouraging. but the other group had to match the built-in group in every way!

Steps

1. Create a new AD group based off the builtin administrators (copy)

2. Add the same membership to that group

3. Add wacgatewayadmin to the WAC credssp admin group

4. Add wacgatewayadmin to the local Administrators group.

I get the following in the HAR browser logs:

[{"name":"BUILTIN\Administrators","type":"SecurityGroup"},{"name":"rreerc\wacgatewayadmin","type":"SecurityGroup"}]

I removed myself from the entire administrator group membership- at least locally

thumbnail image 14 of blog post titled

                        Windows Admin Center version 2211 is now generally available!

IT does seem to be working, but I am concerned it is going to revert the whole group again. FYI- it seems you can make another built in group as the gateway administrator but - no spaces in that group and it has to be in the Builtin OU of AD.

and you see now i show two gateway administrators and it seems to hold

thumbnail image 15 of blog post titled

                        Windows Admin Center version 2211 is now generally available!

Good Luck

PS i did check the event log- and the only reason this is working is because the group is in the builtin group.

That restriction is still there.

thumbnail image 16 of blog post titled

                        Windows Admin Center version 2211 is now generally available!

[Louisjreeves]

I still don't see the issue fixed in the new version - it's hard when you have domain requirements and extension requirements to meet them both seamlessly. the better thing would be to have one login token and allow the extension to just use the windows token. at least partners like Dell would benefit from making better integrated extensions 2111.1.5.2402.07001 #iwork4dell