Problem with nested user groups in computer Access control
-
Hi,
I'm trying to configure access control based on user groups in a AD based network.
If I do it with the default backend, if I select a local group with contains domain users and domain groups, access is only permited to users contained directly in that group. Users in the nested group cannot enter.
Example.
Local system group: "Veyon"
"Veyon" contains: mydomain\user1, mydomain\user2, mydomain\subgroup1
"subgroup1" contains: mydomain\user3, mydomain\user4If I grant access to local group "Veyon", only mydomain\user1 and mydomain\user2 can enter. The users mydomain\user3 and mydomain\user4 can't.
Is there a limitation on this type of group nesting?
I've also tried with LDAP backend, but here my problem is another one: Authorized universal domain, only members which belong to the same domain defined in LDAP can enter. Users of another domain in same forest, can't.
For example, access granted to mydomain\veyon-grp, which contains mydomain\user1 and otherdomain\user2. Only user1 gets in. User2 get always dennied access. LDAP is configured for mydomain.
I suppose it has to do with LDAP Basic restriction to only one domain.
Thanks for your help
Carlos -
Have you tried enabling the Query nested user groups (supported by AD only) option in the Advanced LDAP settings tab? When enabled, Veyon uses the LDAP_MATCHING_RULE_IN_CHAIN search filter rule which tells the server to also return indirect members for a certain group. Access control should then allow access also for indirect memberships.
For debugging this, you can change the Veyon log level to Debug (config page General), click on the Test button in the access control page and search for lines containing
AccessControlProviderinC:\Windows\Temp\VeyonConfigurator.log– there should be a line with a list of all groups of the user entered in the test dialog.