1

The problem: I can't give a computer account the permissions to add groups to an OU by adding that computer account to a security group that has been granted the permission to add groups to that OU.

The reason: In our environment resources are always presented to users using role groups. The resource here is the permission on a specific OU which is given to a Domain Local security group. The role is a Global security group and the user is a computer account. The reason the user is a computer account is because the script that requires the permissions is running under the SYSTEM account on that server.

The set-up:

Nested Structure

What I already tested:

  • If I delegate the permissions directly to the computer account it works.
  • If I put a user in the role group that user can execute the script.

What I want:

  • A solution to make this setup work (maybe I overlooked something)
  • Or an explanation why this won't work (then I'll try to find an other solution)
Tomas
  • 91
  • 1
  • 1
  • 9
  • You don't. You grant permissions on the computer account itself. – Greg Askew Sep 07 '16 at 10:31
  • @GregAskew So, you mean I can't nest the computer account. Do you have any idea why that is? Because it does not seem logical to me. – Tomas Sep 07 '16 at 10:34
  • The computer account may be nested as a group member. But you will need to assign the permissions directly to the computer. You cannot assign permissions to a group and expect them to flow to member security principals. – Greg Askew Sep 07 '16 at 11:01
  • @GregAskew When I put a regular user in the same role group as the ScriptServer (in the example) then it does work. That user is granted the required permissions through membership of the nested groups. So I don't thing it is correct when you say "You cannot assign permissions to a group and expect them to flow to member security principals." – Tomas Sep 07 '16 at 12:26
  • 1
    Re-read the title of your question. "How to delegate OU permissions". 1. you don't delegate OU permissions on a group. 2. if you only want to grant permission to one computer, there is no point in delegating anything. Just grant the required permissions on the computer to the security principal (user or group). – Greg Askew Sep 07 '16 at 12:53
  • @GregAskew Oke, so I phrased it incorrectly. But my problem remains I cant give a computer account the permissions to add groups to an OU by adding that computer account to a security group that has been granted the permission to add groups to that OU. – Tomas Sep 07 '16 at 13:27
  • 1
    You may want to delete everything in the question and ask that instead. Also, if you add a computer to a group, the computer does not pick up the group memberships until the computer restarts or the Kerberos TGT key is purged and reloaded. – Greg Askew Sep 07 '16 at 13:40

2 Answers2

1

So I found the solution thanks to a comment of Greg Askew

Also, if you add a computer to a group, the computer does not pick up the group memberships until the computer restarts or the Kerberos TGT key is purged and reloaded. – @GregAskew

I purged the Kerbros key of the system account using PsExec and the klist command

I entered an interactive system session and then purged the Kerbros key.

PsExec.exe -s -i powershell.exe
klist purge

I prefered this method over restarting since restarting a server is not always possible.

Tomas
  • 91
  • 1
  • 1
  • 9
-1

For me it was very helpful, from what the title was written. I was doing some similar just with a cluster, and when reading the about the TGT it makes perfect sense, i just assigned the group and restarted the cluster CNO and it worked, i was a bit unsure if the computers also needed to be restarted.

Danny Nilsson
  • 1