Server2k8: Prevent membership in a group based on membership in another group

security windows-server-2008 active-directory

I'm revamping my company's service accounts, and we've discovered that some need to be able to log on locally, and some are OK with just logging in as a service. I've created two groups, SvcAcct_Restricted and SvcAcct_Full. "Restricted" is setup via GPO to be denied any form of interactive login. The "Full" group is a placeholder for now, but some stuff might get added to it later. I want each service account to be in ONE of the two groups. If a service account gets that needs full access gets added to the restricted group, services fail, phones ring, bosses blow things out of proportion, meetings meetings meetings, etc.

What I'd like to do is prevent any user account from being added to the "Restricted" group if it is already a member of "Full" and vice versa. I popped into advanced security settings, but didn't see anything that looked like "deny membership" and my Google-fu is weak today.

AD schema is at Windows 2008R2.

Any help is greatly appreciated!


Solution 1:

There isn't built-in functionality in the product to do what you're looking for.

Security groups don't have an ACL mechanism to control which members are added, only who can modify the membership. What you've got is an interesting conundrum. In the filesystem world Dynamic Access Control (DAC) could solve the problem you've got handily, but DAC-like boolean group membership functionality doesn't apply to privileges.

Your best bet is going to be to script something, unfortunately. You likely could write a script that receives change notifications to make its operation near-realtime, versus running on a set schedule.

There are bolt-on AD management systems that can do what you're looking for. They work by restricting group membership changes to only the AD management system's security context, forcing you to use the management system itself to perform group membership changes.

You could mock something like that up yourself for this one group, too. You could limit membership changes on your "Restricted" group to a specific security context, then run a script in that context that makes the membership changes.

Is there a good chance, knocking something together yourself like this that you could create vulnerabilities? Yes-- absolutely! Be careful, if you opt to do something like this.

Related

Squid3 'The proxy server is refusing connections'
Enforce 15-character minimum password length on Windows
How configure environment variable with AcceptEnv
TCP sequence number randomization
How to create advanced rules with firewall-cmd?
Hyper -V 2012-R2 Expanding VHDX for VM did not expand the current file size
Use "Client Site Name" in Group Policy Preferences
Elastic Beanstalk with Passenger Standalone: working configuration?
Salt - What's the difference between Rejected and Denied?
The file and dir sizes of du -hs * is not consistent with du -hs
Creating a postfix alias "[email protected]" to send to all users of a domain
IIS 8.5 Serve file with no extension from particular folder