lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
241 stars 20 forks source link

Lithnet Service Account permissions cause warnings in Exchange ECP when editing groups. #165

Open grumpymojo opened 2 years ago

grumpymojo commented 2 years ago

Describe the bug When editing a group in on premise Exchange ECP you get a warning that group is corrupted because object "43061ac1-c8ad-4ccc-b785-2bfac20fc60a" can't be resolved

To Reproduce Steps to reproduce the behavior:

  1. Go to on premise Exchange ECP
  2. Click on 'Groups'
  3. Select a group and click edit.
  4. See error

Expected behavior No warning

Screenshots Lithnet_service_account

Access Manager installation

Additional context The object mentioned above is the Lithnet Service Account created during setup. I'm guessing the powershell script that sets permissions, doesn't limit itself to just computer objects. I'm guessing the way around this issue is to only apply the permissions to OU's that contain computers, instead of the domain root but I thought it was worth logging a bug in case you have any other suggestions.

grumpymojo commented 2 years ago

Just some additional information. It's specifically the permissions for Bit Locker Recovery Password recovery that cause this issue. I have solved this my self by removing these permissions from the root of the domain and then running the permission script only against OUs with computer objects.

There is probably nothing for you to fix but it might be worth mentioning in the documentation.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.