I wanted to ask about the Active directory UC tool. I think it's a great addition to your plugin arsenal, and I finally found time to start testing it. We are planning on using this tool for our helpdesk to be able to provide rapid assistance to our customers for things such as disabling users upon employment termination, unlocking accounts, and resetting passwords. We also use groups for deploying access to applications, printers, etc, so being able to quickly see groups is an essential piece. This tool would allow us to provide helpdesk staff essential access without giving helpdesk staff direct console access or MMC access to any customer servers or internal administrative resources unnecessarily.
However, I would like to ask for a few feature requests, some security-related. Can you provide a Settings administrative center similar to that of Habitat, where certain buttons can be turned off and on? For example, we don't want our helpdesk staff to be able to create or remove users as that requires documented approval and privileged access control for our customers and is a security risk per SOC2 MSP compliance. Therefore, we would need the ability to turn off the button for "Add New User" and "Remove User", as adding new users require evidence and privileged control, and user removal is never permitted as that would wipe out user object auditing.
Next, I have a request to auto-sort the users list. The list appears to be listed in the order the users are imported from one OU to the next. It can be problematic to find users if more than a couple OU's exist or you have more than a few dozen users. It would be helpful if there was a toggle for either a complete sort of the list with no OU's, or a sort of the list with OU structures included. A simple alphabetizing of the list is really all that is needed without any OU structure shown, but I thought I'd mention that as an alternative if you want to be creative.
The next request is the AD Groups tab. This seems like a very nice feature. It seems that this feature was designed to only show groups within groups and only add groups within groups. Can this feature be modified to show the contents of the groups so we can see all users and objects within the groups, such as groups, users, and computers? Currently, it does not do that or allow adding users to groups, as it's only groups within groups. We also need the ability to turn off the button for “Remove Group”, for the same reason as removing users, not to mention the risk of someone deleting a built in group.
Another request for the possible settings administrative center, is an on/off ability to be able to modify any built-in groups or AD default groups or add users to those groups. I say this because if the help desk could promote regular users to groups such as administrators or domain admins, they could circumvent all privileged access control. Due to SOC2 MSP compliance, only special access users are permitted to be able to change any administrative group membership. For MSP's that is a requirement to be able to disallow that ability in order to use such a tool. MSP's like us use groups to determine application deployment and printer deployment, among others, so being able to make those group changes without a potential security violation is highly beneficial.
All in all, I think this plugin is a great asset. The only reason we haven't fully deployed it is due to the above security challenges. If those are taken into consideration, then we would be all in to fully deploy this. Thanks again for another great plugin.
Feature request and security concern
Re: Feature request and security concern
What I can do fairly quickly is put in place User Class control to features.
Super Admins to Automate would have full control over plugin where users that have a User Class of "ACUC" assigned would have limited control over AD.
We could even make 2 or more user classes so class (A) had more access then class (B) users.
Thus you could then add a user class to your techs that would allow them access to plugin controls.
We do this now with several other plugins so adding to ADUC would be easy enough.
As for adding Users to groups, you should be able to do this once the group is created. Going back to the User side of the plugin, select new user and add newly created group to user.
I can look at expanding the group management to include more group objects.
Super Admins to Automate would have full control over plugin where users that have a User Class of "ACUC" assigned would have limited control over AD.
We could even make 2 or more user classes so class (A) had more access then class (B) users.
Thus you could then add a user class to your techs that would allow them access to plugin controls.
We do this now with several other plugins so adding to ADUC would be easy enough.
As for adding Users to groups, you should be able to do this once the group is created. Going back to the User side of the plugin, select new user and add newly created group to user.
I can look at expanding the group management to include more group objects.
Re: Feature request and security concern
User classes seem like a good way to go.
The problem is that almost all users of Labtech would not be permitted to touch an elevated user account or a group with elevated privileges or default built-in users or groups. They are also not permitted to add users or removed users. In order to complete a SOC2 audit, the ability to touch those types of users or groups or the ability or add or remove must be highly restricted with multiple controls and auditing, so it is not permitted through the Labtech Interface. Those rules are fairly strict so I'm hoping we can lock down some of those features to super users only, or other user classes as you mentioned.
However, being able to perform helpdesk tasks on all other users or groups by all Labtech users would be an incredibly great asset.
Now pertaining to my comments on the groups tab, I don't think it's working as expected.
In the field that shows the members of the group, I don't see any users as members and I don't see any other groups other than built-in. I'm assuming its design only originally included the object types of built-in groups as members and not all other types of members. If it's possible to list the member types of all groups and all users, that would be great. I'm mentioning this because our groups consist of groups for applications and groups for printers among others, so when we click on those groups, it would be useful to see the users in those groups.
Thanks for your time, I really appreciate your work on this.
The problem is that almost all users of Labtech would not be permitted to touch an elevated user account or a group with elevated privileges or default built-in users or groups. They are also not permitted to add users or removed users. In order to complete a SOC2 audit, the ability to touch those types of users or groups or the ability or add or remove must be highly restricted with multiple controls and auditing, so it is not permitted through the Labtech Interface. Those rules are fairly strict so I'm hoping we can lock down some of those features to super users only, or other user classes as you mentioned.
However, being able to perform helpdesk tasks on all other users or groups by all Labtech users would be an incredibly great asset.
Now pertaining to my comments on the groups tab, I don't think it's working as expected.
In the field that shows the members of the group, I don't see any users as members and I don't see any other groups other than built-in. I'm assuming its design only originally included the object types of built-in groups as members and not all other types of members. If it's possible to list the member types of all groups and all users, that would be great. I'm mentioning this because our groups consist of groups for applications and groups for printers among others, so when we click on those groups, it would be useful to see the users in those groups.
Thanks for your time, I really appreciate your work on this.
Re: Feature request and security concern
We just posted build 1.0.0.3 that adds the first of the permissions controls to the plugin.
Once upgraded and the DBagent restarted you should have a new user class appear in your user managers. Assign this user class to a tech or engineer to give them full access to the plugin.
We will be adding permission restrictions to this user class in further plugin updates.
Once upgraded and the DBagent restarted you should have a new user class appear in your user managers. Assign this user class to a tech or engineer to give them full access to the plugin.
We will be adding permission restrictions to this user class in further plugin updates.
Re: Feature request and security concern
We just posted the user permissions help doc for this control at
viewtopic.php?t=6071
it describes what and when it will control usage.
Stage 1 was to get the framework inplace so that control is available. Next build will have some restricted access to operations.
viewtopic.php?t=6071
it describes what and when it will control usage.
Stage 1 was to get the framework inplace so that control is available. Next build will have some restricted access to operations.
Re: Feature request and security concern
This sounds great. I really look forward to it. Thanks.
Re: Feature request and security concern
Build 1.0.0.4 is now released and available for downloads.
We completed the permissions features requested. please visit the document form at
viewtopic.php?p=9484#p9484
to see what's new and how it works.
Enjoy!
We completed the permissions features requested. please visit the document form at
viewtopic.php?p=9484#p9484
to see what's new and how it works.
Enjoy!