search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
238 stars 20 forks source link

Transient objects created in Azure Active Directory #173

Closed chadht closed 1 year ago

chadht commented 1 year ago

Unable to remove JIT group from Azure Active Directory

The temporary group created by JIT is removed from Active Directory after the time expires but remains in Azure Active Directory as a transient object and requires a full sync to remove the group. Has anyone experienced this?

Thanks, Chad

ryannewington commented 1 year ago

Hi @chadht

We've done away with dynamic groups in v2, so this shouldn't be an issue going forward. But I can certainly see why it would be an issue. v2 uses its own internal scheduler to add and remove users from the group directly when their JIT access expires. We're not far away from release now, and you can check out the preview build if you like.

chadht commented 1 year ago

Hi Ryan,

Thanks for your quick response and the link for the preview version!

For my current setup do you know why on the JIT mode screen it says the domain functional level is Server 2008 when I'm using version 2019? Would enabling the PAM feature resolve my dynamic group transient object issue? Is there a way to remove what I have set for the dynamic group container or would I need to select a new path/OU? Thanks again for your help.

@.***

Chad Tidgewell IT Security | HCPSS

The information contained in this email transmission is privileged and/or confidential and is intended solely for the exclusive use of the individual addressee. If you are not the intended addressee, you are hereby notified that any retention, disclosure, or other use is strictly prohibited. If you have received this email in error, please contact the sender immediately and delete the material.

From: Ryan Newington @.> Sent: Tuesday, September 13, 2022 5:06 PM To: lithnet/access-manager @.> Cc: Chad H. Tidgewell @.>; Mention @.> Subject: [External] Re: [lithnet/access-manager] Transient objects created in Azure Active Directory (Issue #173)

! CAUTION: This email originated from outside of HCPSS. Do not click links or open attachments, unless you recognize the sender and know the content is safe.

Hi @chadhthttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fchadht&data=05%7C01%7Cchad_tidgewell%40hcpss.org%7Cfae342e22c134ed7184a08da95cbc80f%7C96a9ac4c477e4dada2b28ad3fc46790b%7C1%7C0%7C637986999740922281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=J2do7Wq9cgIsNzsR9rJIkSU2njZn7Muonf0y%2F%2Bpiubk%3D&reserved=0

We've done away with dynamic groups in v2, so this shouldn't be an issue going forward. But I can certainly see why it would be an issue. v2 uses its own internal scheduler to add and remove users from the group directly when their JIT access expires. We're not far away from release now, and you can check out the preview build ifhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flithnet%2Faccess-manager%2Freleases%2Ftag%2Fv2.0.9004-preview3&data=05%7C01%7Cchad_tidgewell%40hcpss.org%7Cfae342e22c134ed7184a08da95cbc80f%7C96a9ac4c477e4dada2b28ad3fc46790b%7C1%7C0%7C637986999740922281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=q0j9jsA%2BDuMzoODwYw9LXdpNZzS882O1cLLl9qmwfzE%3D&reserved=0 you like.

- Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flithnet%2Faccess-manager%2Fissues%2F173%23issuecomment-1245954028&data=05%7C01%7Cchad_tidgewell%40hcpss.org%7Cfae342e22c134ed7184a08da95cbc80f%7C96a9ac4c477e4dada2b28ad3fc46790b%7C1%7C0%7C637986999740922281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rMpI5UTbzHM4RnXdQZ0X1rPDibGMESZIQ96ARoEXz5E%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAQYVUW4DNSD3U5T3GB675YDV6DUEDANCNFSM6AAAAAAQLUVLEU&data=05%7C01%7Cchad_tidgewell%40hcpss.org%7Cfae342e22c134ed7184a08da95cbc80f%7C96a9ac4c477e4dada2b28ad3fc46790b%7C1%7C0%7C637986999740922281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PMq9GVdk%2F1mMRI3cfiC4ktLRzOSOqmQCbVWT2DNYJ40%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>

ryannewington commented 1 year ago

The domain functional level must be manually raised.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels

Once you raise the DFL to say server 2016, that means from that point on, you can only have 2016 or later domain controllers. So it's a manual step because it's a one-way trip.

However to make the most of new AD features, you need to raise your DFL.

The PAM feature is the superior JIT option, and if you have the ability to turn it on, I'd highly recommend it. Restart AMS once you've raised the DFL and enabled the optional feature, and AMS will automatically detect PAM support and start using it.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.