AD Filter for Group Membership

We recommend setting up your Directory Connection based on Security Group membership.

Related Topic:

Filtering by Security Group Membership

To successfully manage the directory users and roles you wish to use in Password Server, it is helpful to assign all of these to belong to a Security Group. We can either check membership in one group or in multiple groups.

We can filter users and roles from these locations:

  • Directory Settings: Advanced User / Role Filters
  • Import Pages: Search Filters

Step 1: Add users & roles to a Security Group

All Password Server users and roles would need to be added to this group.

  • Create or use an existing security group, for example, "PPassUsers"
    • View the Distinguished Name of this group in the Attribute tab. This can be copied to your Directory settings.
  • Add all Password Server users and roles as members of this group

Step 2: Enter Search Filters
  • In the Directory settings or on the Import pages (for Users and for Roles), navigate to Advanced Settings > Search Filters > Additional User Filters section. We will enter values in these empty input boxes:

    AD-Search-Filter-clause-pic.png

    • Multiple Groups membership (group and its subgroups):
      • memberOf:1.2.840.113556.1.4.1941:    is    CN=PasswordServerUsers,OU=Users,DC=Domain,DC=comAdFilterNestedMemberOfStaffGroup.PNG
    • Direct Group membership:
      • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com

  • Repeat the process for setting up Groups. Ensure all groups you want to import into Password Server are in this security group:

    • Advanced Settings > Search Filters > Additional Group Filters

Example

If you have multiple existing Security Groups, we can filter on the group hierarchy:

  • all users/roles of a group, and
  • all users/roles of the member subgroups

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • memberOf includes only Marketing
    • just filters on 1 group (direct membership only)
  • memberOf:1.2.840.113556.1.4.1941: includes both Marketing and Staff
    • will filter on all group itself and all subgroup members

     

References:

Tag page
You must login to post a comment.