CPPM: Using Domain Users for role mapping (Primary Group Membership)
If you haven't noticed by now, CPPM uses the MemberOf command to retrieve users group information from LDAP and AD. The problem with this method is that the MemberOf command does not retrieve the Primary Group Membership attribute of the user (this is a Microsoft limitation not CPPM). This can be an issue as by default a users Primary Group Membership is the Domain Users Group or for other built in accounts who might have a different primary group membership. This leads to issues when customers want to use the Domain Users group for role mapping and enforcement.
It also becomes a problem in troubleshooting why a specific user maynot be getting a proper role. For instance, If user A is in accounting and the domain admin has changed that users primary group membership to the accounting group. Then the MemberOf command will not return the group accounting and role mapping will fail.
How can we check the primary group membership of a user?
Log into the Domain Controller and launch the Active Directory Users and Computers MMC (found in Administrator Tools Folder); Find the user and double click the name to open the user properties. Click on the MemberOf tab and look at the bottom of the window. You will see the Primary Group: membership there.
So how can we get around this limitation?
Luckily there is a AD attribute that we can reference instead of Domain Users, this is the PrimaryGroupID but in order to use this attribute, we much update the authentication source to check for this.
Adding the attribute to Authentication Source:
Log into CPPM > Configuration > Authentication > Sources > Click on the Active Directory Source > Attributes Tab > Edit the Authentication Filter > Click to add and type in "primaryGroupID" "primaryGroupID" enable as attribute.
Save, Save and close:
Now we much map the role.
Create a role mapping, or edit an existing and add the following Role Mapping Rule:
Authorization:<Domain name> : primaryGroupID : Equals : 513
513 is the primary group ID of the Domain Users Group.
If you are trying to match a different group that is now the primary group of the user, you will have to change to advanced mode, click on Attribute Editor of the user and scroll down until you file the primaryGroupID. The number listed there will be the ID of the group you will need to match.
Once this is done, you can assign that role in your enforcement profile and you are all set.
But wait, there's more.
What if someone changed the primary group membership of a user from Domain Users to something else?!
Well, luckily there is an LDAP query we can run and look for anyone's primaryGroupID is not 513;
To do this, Log into the users Active Directory Server or Domain Controller.
Launch "Domain Users and Computers" MMC
At the to you will see a folder called 'Saved Queries' right click on it and select NEW > Query
Give it a name and select Define Query
Change the drop down from Common Query to Custom Search
Press the Advanced Tab and type in the following:
Click Ok and Ok to get out.
You will now see it listed under the save queries folder. Click on it and all the users whose primary group is not Domain Users will appear in the right window.
By Default you will see the 'Guest' User account, since it is built in and not a member of the Domain Users Group.