Also:
This is how our PXs look like:
PX1 - Remove/Add PR
*Action: InfoSec dept (Priority: 0)
Condition: If Dept = InfoSec
Add action: Grant InfoSec PR
Remove Action: Revoke InfoSec PR
*Action: Network dept (Priority: 0)
Condition: If Dept = Network
Add action: Grant Network PR
Remove Action: Revoke Network PR
PX2: Move account container
*Action: InfoSec dept (Priority: 0)
Condition: If Dept = InfoSec
Add action: Move account to Endpoint/Users/InfoSec
*Action: Network dept (Priority: 0)
Condition: If Dept = Network
Add action: Move account to Endpoint/Users/Network
*Action: Rogue account (Priority: 99)
Condition: none
Add action: Move account to Endpoint/Users/Rogue
------------------------------
Software Consultant
Gliat Tecnologia da Informação
São Paulo
Brazil
------------------------------
Original Message:
Sent: 03-17-2020 05:06 PM
From: Henrique Lima
Subject: Moving AD accounts upon changing PRs
So I have set up the filters so that the basic AD account is created based on the filter in the AT - this works OK.So I have set up the filters so that the basic AD account is created based on the filter in the AT - this works OK.However, when I try to change PRs, IM is not removing the old group when the old PR is removed (using PX Remove Actions for this). The task responsible for submitting the changes has User Sync "at task compĺetion" and Account Sync "in each event". I also need to move the account to different OUs depending on the role.
So now we have all test users with:
- STANDARD Account Template
- this has all containers in the "account containers" tab and the last entry is a fail-safe so the account is always created on the endpoint.
- STANDARD
Endpoint/Users/InfoSec (Filter: eTDepartment=INFOSEC)
Endpoint/Users/Network (Filter: eTDepartment=NETWORK)
Endpoint/Users/Rogue (Filter: eTGlobalUserName=*)
- ROLE Account Templates
- this has only the department-specific OU, the fail-safe OU, and the groups associated with the role. In my example, I will use:
- INFORMATION_SECURITY
- Account Containers:
Endpoint/Users/InfoSec (Filter: eTDepartment=INFOSEC)
Endpoint/Users/Rogue (Filter: eTGlobalUserName=*)
- AD Groups
InfoSec
- NETWORK
- Account Containers:
Endpoint/Users/Network (Filter: eTDepartment=NETWORK)
Endpoint/Users/Rogue (Filter: eTGlobalUserName=*)
- AD Groups
Network
By each event, I assume that IM would synchronize the account with the endpoint at every event occurring during the processing, as in:This is what I understand should happen given all of the described above:
## INITIAL STATE ##
Action: Moving departments.
===========
Current PRs: STANDARD, INFOSEC
Current OU: Endpoint/Users/InfoSec
AD groups: Standard, InfoSec
===========
STEP 1) Remove INFORMATION_SECURITY role
- remove groups associated with the INFORMATION_SECURITY account templates from the user
*** since the admin task is set up to synchronize in all events, the changes would be replicated to the endpoint
===========
Current PRs: STANDARD
Current OU: Endpoint/Users/InfoSec
AD groups: Standard
===========
STEP 2) Grant NETWORK role
- grants groups associated with the NETWORK account templates to the user
(at this point, I understand we could have a synchronization issue as the NETWORK AT is pointing to a different OU than the already existing account is really at. However, since we have the STANDARD AT, which has all of the OUs, IM would be like "hey, I know where this account is" and would not attempt to create it)(ALSO, we should now move the account to the correct OU otherwise we will have sync issue, now that the PR in place is pointing to the new OU)
*** since task is set up to synchronize in all events, the changes would be replicated to the endpoint
===========
Current PRs: STANDARD, NETWORK
Current OU: Endpoint/Users/InfoSec
AD groups: Standard, Network
===========
STEP 3) Move account to new AD container
- move account to new container
*** since task is set up to synchronize in all events, the changes would be replicated to the endpoint
===========
Current PRs: STANDARD, NETWORK
Current OU: Endpoint/Users/Network
AD groups: Standard, Network
===========
############################################################################################################
However, when we remove the INFOSEC PR, even though we do have the account sync set to "each event", the groups are not being removed from the endpoint account.Therefore, when we add the NETWORK PR, the group is added to the account. At this point, the endpoint account has accumulated access from two departments, which is not what we want (and defeats the purpose of the entire solution). I understand that this behaviour would be expected if we had the account sync set to "task completion", as the PR removal would not be sync'd with the endpoint since its doing it in the middle of the processing.
PLEASE help.
------------------------------
Software Consultant
Gliat Tecnologia da Informação
São Paulo
Brazil
Original Message:
Sent: 03-10-2020 02:50 PM
From: IYES DENDENI
Subject: Moving AD accounts upon changing PRs
The actual path of the OU should be something like this:
ADSOrgUnit=Users,ADSOrgUnit=AsiaPacific,EndPoint=<ADS Endpoint>,Namespace=ActiveDirectory,Domain=im,Server=Server
Leave <ADS Endpoint> as is, and substitute your nested OU structure from top to innermost as required.
Here is the View from AD Computers and Users:
--
Iyes Dendeni, CISSP/ITILPrincipal Solution Architect
Symantec Enterprise Division, Broadcom
Original Message------
This sounds like a good idea, but can you please guide me through the specifics on how to set up the filter here, as in I am not sure how to set up the Account Container path to use a dynamic value (variable) instead of a preconfigured value (the actual path for the OU).
------------------------------
Software Consultant
Gliat Tecnologia da Informação
São Paulo
Brazil
------------------------------