Authentication and Policy based on Active Directory Group Membership

I’m attempting to add authentication to my dashboards as well as adding/limiting access depending on AD group membership. I’ve followed the tutorials in the documentation, read forums for similar threads, etc. but I’m still having issues.

As of right now, PSU is able to authenticate against AD but it’s not able to determine if a user is a member of an AD group. Here’s what I did,

  1. Created Application Pool and its running as the LocalSystem
  2. Changed Windows Authentication to True in appsettings.json
  3. Enabled Windows Authentication in IIS and disabled anonymous authentication
  4. Created 2 groups PSU Admin and PSU Users. Added myself and supervisor to PSU Admins, everyone else to PSU Users.
  5. Modified Security Settings to this using my own domain information. The adlogin.txt file does not get created at all.
  6. Modified the Administrator Policy Script to match this using my own LDAP info. The adgroup.txt files does get created and it appends a timestamp and name of user logging in. Neither my supervisor or I are shown to be members of the PSU Admin group.

After looking through the log I found errors that repeat themselves ALOT.

Product: PowerShell Universal
Version: 1.5.7

Here is my crude method of using a couple of functions to authenticate the user and the AD group they belong in…this is in older UD but I am sure you could just use these two functions to get the job done :crossed_fingers:

1 Like

Thank you so much! I’ll give this a shot, thank you again.

I did similar to yourself, and configured the Admin Policy to look like this:

param(
    $User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Split('\')[1]
$IsMember = $false;

$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = 'LDAP://OU=Users,DC=my,DC=intra,DC=company,DC=com'
$Searcher.Filter = "(&(objectCategory=person)(memberOf=CN=PSU_Administrators,OU=PSU,OU=Application Groups,OU=My Groups,DC=my,DC=intra,DC=company,DC=com))"
$Users = $Searcher.FindAll()
$Users | ForEach-Object {
    If($_.Properties.samaccountname -eq $UserName) {
        $IsMember = $true;
    }
}

$IsMember

This allowed only certain folks to have Admin access. I then created a new policy for one of my dashboards, and basically used the same script as above, just altered the path to the group in A.D.

The biggest thing for me was it did not work until I set an explicit deny on all the other canned policies such as Reader, Operator, etc. Otherwise people were still able to get to pretty much anything. Since I am not yet using them, I set them all to the below:

param(
    $User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Split('\')[1]

$IsMember = $false;
$IsMember

This seems to work well for me; hope it helps.

Thank you so much for your response. It looks like everything is working as it should now. Thank you again.

@JLogan3o13 @f.ehler.i.nolim @psDevUK

I am using a Textbox on the dashboard to test the following variables:

$User always evaluates to “Admin”
$env:Username evaluates to the account that is running PowerShell Universal service

I’m needing it to evaluate to the user that launched the dashboard so that I can complete the tasks you all are referring to in order to check the user’s AD groups.

Where am I going wrong?