Announcement

Collapse
No announcement yet.

Refresh Group Membership

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Refresh Group Membership

    I have a disk with some 1700 folders under a single share that the users connects to. I use “ABE” to hide the folders that are of no interest so that the typical user will end up seeing only five or ten folders under the mapped drive. The total amount of data is about 1.3Tb so I’m not very keen on working with file rights based on individual users, I’d rather like to manage the NTFS rights by using Groups of any sort based on Active Directory.

    I have two main issues right now that I’d like to have your help to address;
    ¤ Access to files or folders based on group membership is not reflected dynamically, e.g. if I grant USER1 membership to a GROUP1 (where GROUP1 has rights to a file or a folder) the user will have to log off and log on again to get the right set of tokens. Plan B would be to have the user wait for 10-12 hours for the Kerberos Ticket to renew (?).
    ? Is there a way to manually – from the server or the client –initiate a re-authorization in order to get the new membership information?

    ¤ Since the information is available from more than ten sites, each with its own DC, I’m also interested in finding a way to propagate the new information instantly.


    Please, let me know if I’m totally of track here, if I’m missing any obvious solutions or if the setup if just wrong. Any help, thoughts or ideas are appreciated.

    MagnusH

  • #2
    Re: Refresh Group Membership

    Mid-way, whohoo!
    Got a theory now and a way to handle the issue, not sure however what the impact may be…
    Synopsis;
    An administrator adds USER1 to GROUP1 in order to give the user rights to a file or a folder. Rather than asking the user to logoff and then logon right away we intent to do the following:
    First of all replicate the new group membership information to the users favorite DC (e.g. Logonserver). Once that is accomplished, we need to purge the users Kerberos Tickets in order to be able to receive new information. After that, all we need to do is to close any Open Sessions from the user / user’s machine to the file server with the files or folders USER1 likes to view.
    Finally, the user hits [F5] and pa-wao, there it is!
    Next step for us right now is to find a way to do all above with a click on a mouse via a script or an application – and of course the flow should be done and over in less than a blink…

    Any thoughts on security considerations or if you’d like to contribute with some scripting, please let me know. I’ll try to post an embryo or test ready solution once we get there.

    MagnusH

    Comment


    • #3
      Re: Refresh Group Membership

      Are you sure about this ?
      The group membership is not refreshed on TGT renewal as far as I'm aware of. The security token is constructed only at logon - the client does not request the PAC when renewing (PAC part of the TGT holds the group membership)
      Last edited by guyt; 30th September 2007, 23:33.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: Refresh Group Membership

        Originally posted by guyt View Post
        Are you sure about this ?
        The group membership is not refreshed on TGT renewal as far as I'm aware of. The security token is constructed only at logon - the client does not request the PAC when renewing (PAC part of the TGT holds the group membership)
        Well, I can't prove you wrong. Right now I’m like a bumblebee, not being aware of that I shouldn’t be able to fly from an aerodynamic point of view – renewing the tickets and sessions does the job for us.
        To your knowledge, are there any other way to attack the “renew group membership dynamically” issue? Rather than going for a logoff/logon solution I believe that the customer will decide on a “rights per individual user” approach.

        MagnusH

        Comment

        Working...
        X