• State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 1097 views
  • Users 0 members are here
Options
Related

ARS Read/Write Group Members

jim.cochran
over 1 year ago

I was trying to give a user read/write group member permissions directly in ADUC based on what permissions another user had.

I gave the user read member and write member permissions as those were the permissions that I saw on a working user, however, this did not work.

I then used ARS to apply the Read/Write Group Member template to the group object and it worked.

So my question is: What are the exact permissions this template applies and what attributes does it update?

Thank you,

JC

Parents
  • 0 over 1 year ago

    Permissions delegated to accounts natively in ADUC do not carry over to Active Roles.  They are completely separate.  I could grant Full Control permissions to a user in ADUC on the top level domain, ensuring it replicates down through every OU to every object, etc.  But I still would have no rights whatsoever when I log in to Active Roles.

    The permissions that AR delegated can be seen by looking at the properties of the permission template applied to your user.  Click on Permissions, and you will see the full list it contains.

    Additionally, AR does give you the ability to sync the permissions delegated within itself to native ADUC, but this practice is typically not recommended.  

  • 0 over 1 year ago in reply to Eric Hibar Jr.

    Further to  's last point.

    I would create a brand new OU off the root of your domain.  Using the AR MMC, inspect the native permissions on that OU.  Then, apply the Access Template you want and have Active Roles propagate the permissions to AD.  Have another look at what native permissions were added.  You can then undo the application of the native permissions via the Access Template.

Reply
  • 0 over 1 year ago in reply to Eric Hibar Jr.

    Further to  's last point.

    I would create a brand new OU off the root of your domain.  Using the AR MMC, inspect the native permissions on that OU.  Then, apply the Access Template you want and have Active Roles propagate the permissions to AD.  Have another look at what native permissions were added.  You can then undo the application of the native permissions via the Access Template.

Children
No Data