AD Filter for Group Membership

Table of contents
You are currently comparing two old versions - only when you are comparing against the latest version can you revert. Return to version archive.

Combined revision comparison

We recommend setting up Directory Connection based on Security Group membership.

Use the steps from the relevant sections below to filter on one or more Security Groups.

Related Topic:

Filtering by Security Group Membership

To successfully manage the directory users and roles you wish to use in Password Server, it is helpful to assign all of these to belong to a Security Group. We can either check direct membership in one group or in multiple groups.

We can filter on directory users and roles from these locations:

  • Directory Settings: Advanced User / Role Filters
  • Import Pages: Search Filters

Step 1: Add users & roles to a Security Group

All password server users and roles would need to be added to this group.

  • Create or use an existing security group, for example, "PPassUsers"
    • View the Distinguished Name of this group in the Attribute tab
  • Add all password server users and roles as members of this group

Step 2: Enter Search Filters
  • In the Directory settings or on the Import pages (for Users and for Roles), navigate to the Search Filters section. We will enter values in these empty input boxes:

    AD-Search-Filter-clause-pic.png

    • Multiple Groups membership (group and its subgroups):
      • memberOf:1.2.840.113556.1.4.1941:    is    CN=PasswordServerUsers,OU=Users,DC=Domain,DC=comAdFilterNestedMemberOfStaffGroup.PNG
    • Direct Group membership:
      • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com

  • Repeat the process for setting up Roles.

Example

If you have multiple existing Security Groups, we can filter on the group hierarchy:

  • all users/roles of a group, and
  • all users/roles of the member subgroups

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • memberOf includes only Marketing
    • just filters on 1 group (direct membership only)
  • memberOf:1.2.840.113556.1.4.1941: includes both Marketing and Staff
    • will filter on all group itself and all subgroup members

     

References:

Version from 02:49, 19 Jan 2019

This revision modified by CalebMathison (Ban)

We recommend setting up Directory Connection based on Security Group membership.

Use the steps from the relevant sections below to filter on one or more Security Groups.

Related Topic:

Filtering by Security Group Membership

To successfully manage the directory users and roles you wish to use in Password Server, it is helpful to assign all of these to belong to a Security Group. We can either check direct membership in one group or in multiple groups.

We can filter on directory users and roles from these locations:

  • Directory Settings: Advanced User / Role Filters
  • Import Pages: Search Filters

Step 1: Add users & roles to a Security Group

All password server users and roles would need to be added to this group.

  • Create or use an existing security group
  • Add all password server users and roles as members of this group

Step 2: Enter Search Filters
  • In the Directory settings or on the Import pages (for Users and for Roles), navigate to the Search Filters section. We will enter values in these empty input boxes:

    AD-Search-Filter-clause-pic.png

    • Multiple Groups membership (group and its subgroups):
      • memberOf:1.2.840.113556.1.4.1941:    is    CN=PasswordServerUsers,OU=Users,DC=Domain,DC=comAdFilterNestedMemberOfStaffGroup.PNG
    • Direct Group membership:
      • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com

  • Repeat the process for setting up Roles.

Example

If you have multiple existing Security Groups, we can filter on the group hierarchy:

  • all users/roles of a group, and
  • all users/roles of the member subgroups

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • memberOf includes only Marketing
    • just filters on 1 group (direct membership only)
  • memberOf:1.2.840.113556.1.4.1941: includes both Marketing and Staff
    • will filter on all group itself and all subgroup members

     

References:

Version as of 03:07, 19 Jan 2019

This revision modified by CalebMathison (Ban)

We recommend setting up Directory Connection based on Security Group membership.

Use the steps from the relevant sections below to filter on one or more Security Groups.

Related Topic:

Filtering by Security Group Membership

To successfully manage the directory users and roles you wish to use in Password Server, it is helpful to assign all of these to belong to a Security Group. We can either check direct membership in one group or in multiple groups.

We can filter on directory users and roles from these locations:

  • Directory Settings: Advanced User / Role Filters
  • Import Pages: Search Filters

Step 1: Add users & roles to a Security Group

All password server users and roles would need to be added to this group.

  • Create or use an existing security group, for example, "PPassUsers"
    • View the Distinguished Name of this group in the Attribute tab
  • Add all password server users and roles as members of this group

Step 2: Enter Search Filters
  • In the Directory settings or on the Import pages (for Users and for Roles), navigate to the Search Filters section. We will enter values in these empty input boxes:

    AD-Search-Filter-clause-pic.png

    • Multiple Groups membership (group and its subgroups):
      • memberOf:1.2.840.113556.1.4.1941:    is    CN=PasswordServerUsers,OU=Users,DC=Domain,DC=comAdFilterNestedMemberOfStaffGroup.PNG
    • Direct Group membership:
      • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com

  • Repeat the process for setting up Roles.

Example

If you have multiple existing Security Groups, we can filter on the group hierarchy:

  • all users/roles of a group, and
  • all users/roles of the member subgroups

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • memberOf includes only Marketing
    • just filters on 1 group (direct membership only)
  • memberOf:1.2.840.113556.1.4.1941: includes both Marketing and Staff
    • will filter on all group itself and all subgroup members

     

References: