Closed TheImpossible21 closed 6 months ago
@TheImpossible21
Certain groups like domain admins are protected by Active Directory and will have any ACL changes you make overwritten with the AdminSDHolder template
You'll need to modify this template, and add the GMSA with permission to modify the membership of the group to this ACL. Do note, that this template applies to all objects projected by the AdminSDHolder, as per the link above.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
Hi,
Trying to use the "Role Authorization rules" with the Domain Admin account, to enable timed access to as a domain admin if needed.
Currently, when we go to request the role its throws the below error
"An unexpected error occurred while trying to complete your request"
In the "Access-Manager-Webapp.log" it looks like the service account goes to assign the role but throws "Lithnet.AccessManager.Server.Authorization.RoleFulfillmentService|An error occurred when trying to grant JIT access to * for user ExampleDomain\Example Admin System.UnauthorizedAccessException: Access is denied.
I assume it's because the GMSA doesn't have permissions to assign users to Domain Admin? If so, is this not the use case this feature was designed for?
Cheers.