+ Post New Thread
Results 1 to 12 of 12
Home Access Plus+ Thread, AD OU Group not authenticating in Projects:; Our Top Level is OU is 'TJWA'. I have users in 'OU=Administators,OU=TJWA' who cannot authenticate. However all users in OU's ...
  1. #1

    Join Date
    Nov 2011
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    AD OU Group not authenticating

    Our Top Level is OU is 'TJWA'. I have users in 'OU=Administators,OU=TJWA' who cannot authenticate. However all users in OU's under 'OU=Users,OU=TJWA' can authenticate without problem. Any idea's anyone?

    TIA

    Artie

  2. #2
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,355
    Thank Post
    36
    Thanked 466 Times in 398 Posts
    Rep Power
    105
    That's odd. Are your administrators members of the domain users group?

  3. #3

    Join Date
    Nov 2011
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Not in Domain Admins

    Quote Originally Posted by nickbro View Post
    That's odd. Are your administrators members of the domain users group?
    No, the Administrators group was set up to allow elevated Administrator type privileges with having Domain Admin privileges

  4. #4

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    672
    Thank Post
    155
    Thanked 51 Times in 49 Posts
    Rep Power
    33

    Not members of Domain Users

    Quote Originally Posted by ArtieBall View Post
    No, the Administrators group was set up to allow elevated Administrator type privileges with having Domain Admin privileges
    Is there any other reason why the administrators are not members of Domain Users.

    Administrators can be made members of both Domain Users and Domain Administrators so find the setup a bit weird.

    Unless Domain Users group has been denied access to something on purpose of course?

  5. #5

    Join Date
    Nov 2011
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Our IT support has been outsourced.... the pseudo Administrators OU has been created by them to give some users elevated Administrator privileges without them being Domain Admins...

  6. #6

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    672
    Thank Post
    155
    Thanked 51 Times in 49 Posts
    Rep Power
    33
    As I said, pretty weird but I do not know the politics etc. or their thoughts/plans for setting it up this way.

  7. #7
    mattgrimley's Avatar
    Join Date
    Jun 2011
    Location
    Bedfordshire
    Posts
    315
    Thank Post
    35
    Thanked 21 Times in 19 Posts
    Blog Entries
    1
    Rep Power
    9
    Quote Originally Posted by ArtieBall View Post
    Our IT support has been outsourced.... the pseudo Administrators OU has been created by them to give some users elevated Administrator privileges without them being Domain Admins...
    But domain users and domain admins are not the same thing.. the "domain users" group has typically very limited access and i would expect any user of the domain to be a member of that group (fundamentally)..

    As @Davit2005 says we dont know the reasons for it being set up this way, but i would think that is going to be a recurring problem.. (I understand why you wouldnt want outsourced people to have "Domain Admin" rights, but i would think "Domain Users" is fundamental..

  8. #8
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,346
    Thank Post
    66
    Thanked 174 Times in 146 Posts
    Rep Power
    59
    Are there odd security permissions on the OU itself?

  9. #9

    Join Date
    Nov 2011
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Ok.... Maybe I need to eleborate... Our Domain is now under the control of the Outsource Company.... as the ex Network Manager I am still here in a different role and I have been put into the Administrators OU, but I do not have Domain Admin permissions. I do however have higher permissions than other network users.

    In the hapconfig file, for the Group "Management" I have set showto="Administrators". I am in the Adminstrators group but I do not see the Management functions when I login.

  10. #10
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,355
    Thank Post
    36
    Thanked 466 Times in 398 Posts
    Rep Power
    105
    Administrators Group or Administrators OU. Two totally different things. HAP+ only picks up on the Group, the OU is used for populating the user drop down lists.

  11. #11

    Join Date
    Nov 2011
    Posts
    13
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Is there no way to get HAP to search particular OU's for "showto" etc? It obviously searches OU's under OU=Users, because if in the config file I put showto"Teaching Staff" it works. The Teaching Staff OU is contained in the Users OU. Where does HAP start searching in the tree, can it be tweaked?

    TIA

    Artie

  12. #12
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,355
    Thank Post
    36
    Thanked 466 Times in 398 Posts
    Rep Power
    105
    The showto, only does AD Groups, not AD OUs.

SHARE:
+ Post New Thread

Similar Threads

  1. Printer Script that uses a machines AD OU
    By Arcath in forum Scripts
    Replies: 4
    Last Post: 4th May 2010, 11:29 AM
  2. Smoothwall SG in non transparent mode not authenticating users
    By ssiruuk2 in forum Internet Related/Filtering/Firewall
    Replies: 8
    Last Post: 23rd October 2009, 03:16 PM
  3. AD User Accounts Not Inheriting Permissions
    By OutLawTorn in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 19th October 2009, 10:56 PM
  4. Replies: 0
    Last Post: 27th February 2008, 01:42 PM
  5. Replies: 5
    Last Post: 7th February 2007, 11:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •