search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
238 stars 20 forks source link

JIT for Roles #226

Closed TheImpossible21 closed 6 months ago

TheImpossible21 commented 7 months ago

Hi,

Trying to use the "Role Authorization rules" with the Domain Admin account, to enable timed access to as a domain admin if needed.

Currently, when we go to request the role its throws the below error

"An unexpected error occurred while trying to complete your request"

In the "Access-Manager-Webapp.log" it looks like the service account goes to assign the role but throws "Lithnet.AccessManager.Server.Authorization.RoleFulfillmentService|An error occurred when trying to grant JIT access to * for user ExampleDomain\Example Admin System.UnauthorizedAccessException: Access is denied.

I assume it's because the GMSA doesn't have permissions to assign users to Domain Admin? If so, is this not the use case this feature was designed for?

Cheers.

ryannewington commented 7 months ago

@TheImpossible21

Certain groups like domain admins are protected by Active Directory and will have any ACL changes you make overwritten with the AdminSDHolder template

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

You'll need to modify this template, and add the GMSA with permission to modify the membership of the group to this ACL. Do note, that this template applies to all objects projected by the AdminSDHolder, as per the link above.

stale[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.