AD Auth with group membership to role

turnitoff_onagain · September 3, 2021, 2:05pm

This is my sanitized Authentication.ps1

$Result = [Security.AuthenticationResult]::new()
if ($Credential.UserName -eq 'Admin' -and $Credential.GetNetworkCredential().password -eq "PASSWORD") 
{
    #Maintain the out of box admin user
    $Result.UserName = 'Default Admin'
    $Result.Success = $true 
}
else
{
    # Get current domain using logged-on user's credentials - this validates their credential
    $CurrentDomain = "LDAP://DC=domain,DC=local"  # Insert Your Domain Here
    $domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,($Credential.UserName),$Credential.GetNetworkCredential().password)
    if ($domain.name -eq $null)
    {
        #"Authentication failed for $($Credential.UserName)!" 
        write-host "Authentication failed - please verify your username and password."
        $Result.UserName = ($Credential.UserName)
        $Result.Success = $false 
    }
    else
    {
        write-host "Successfully authenticated with domain $($domain.name)"
        #"Authentication success for $($Credential.UserName)!" 
        $groupMember = Get-ADGroupMember -Identity PU-access -Recursive | select-object -ExpandProperty samaccountname
        if ($groupMember -contains $credential.UserName){
            $Result.UserName = ($Credential.UserName)
            $Result.Success = $true
        }
        else {
            $Result.UserName = ($Credential.UserName)
            $Result.Success = $false
        }
    }
}

Users must be in the PU-access group (or a group nested inside of that group) in order to log in.

Here is a sample of three roles I have set up in roles.ps1

New-PSURole -Name "Administrator" -Description "Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA." -Policy {
param(
$User
)
        
#
# Policies should return $true or $false to determine whether the user has the particular 
# claim that require them for that role.
#

$groupMember = Get-ADGroupMember PU-Admin | Select-Object -ExpandProperty samaccountname
if ($groupmember -contains $User.identity.name.replace("domain\", "")) {
    $true
}
elseif( $user.identity.name -eq "Default Admin"){
    $true
}
else{
    $false
}
} 
New-PSURole -Name "Helpdesk" -Description "Helpdesk" -Policy {
param(
        $User
    )
    $groupMember = Get-ADGroupMember PU-helpdesk | Select-Object -ExpandProperty samaccountname

    if ($groupmember -contains $User.identity.name.replace("domain\", "")) {
        $true
    }
    else{
        $false
    }
} 
New-PSURole -Name "User Creation" -Description "Allows access to the User Creation dashboard" -Policy {
param(
        $User
    )
    $groupMember = Get-ADGroupMember PU-UserCreate | Select-Object -ExpandProperty samaccountname

    if ($groupmember -contains $User.identity.name.replace("domain\", "")) {
        $true
    }
    else{
        $false
    }
}

after successfully logging in (due to membership with PU-access) users are assigned a role via other group memberships. None of this may be the “best” way to do it, but it works for me in my environment.

Topic		Replies	Views
Unable to authenticate with AD PowerShell Universal	2	754	September 15, 2021
Authentication and Policy based on Active Directory Group Membership PowerShell Universal	5	1365	August 18, 2021
AD authentication and authorization once again PowerShell Universal	5	736	June 1, 2023
Assign PSU roles during the windows authentication (SSO) PowerShell Universal	0	33	September 26, 2024
Security example-policy-based-on-active-directory-group-membership	2	280	October 31, 2022

AD Auth with group membership to role

Related topics