New type for the Authorization Rules

[sylwester-majcher]

I have idea for authorization rules.
For now we have three type of rule: Container, Group, Computer.
In my organisation we plan to use few custom attributes to attach computer object to; specific city, region, owner, customer, department, etc intead of keeping this fix values for example in the computer name by having specific criteria in the computer´s naming.
My idea is to have custom attribute like LAPS with value for example like: LAPSHRComputers;LAPSITComputers;LAPSGroupXX'
And then we will be able choose in the authorization rules type as Attribute than write name of attribute(in my example "LAPS") and value(in my example "LAPSITComputers")
Lithnet tool then writes the LAPS attribute and checks the computer object has in the LAPS attr value like "LAPSITComputers".
By this way we dont have to create tons of specific security groups for computers the time we want to separate few computers for on Engineer that want to generate LAPS password for this several computers only.
I know we have JIT support but there is PAM requirenments and not all comapnies has AD level with PAM you know...
For me this new element makes me independent of the domain administrator and solution will be more dynamic.

[ryannewington]

@sylwester-majcher We've thought about a few cases where we'd want to do some sort of custom authorization. Maybe using SCCMs 'primary computer' feature to determine who would have access to a LAPS password, or an external database of some sort to hold authorization information. I think this is another valid case where you have a specific attribute in your directory that you want to use for authorization.

In order to achieve this, we've included support for PowerShell authorization rules.. When you use a PowerShell-based authorization, AMS provides your script with the details of the user requesting access, as well as the computer they are trying to access. In your case, you can then call out to active directory and interrogate your custom attributes and just tell access manager what the user should be allowed to access.

Regarding PAM support, you dont need the AD PAM feature to use JIT. AMS will detect if PAM is available and use it, but if not, will fall back to using dynamic groups.

[ryannewington]

Can you share your script? It might be easier for me to see what is going on.

AMS is asking you if $user has access to $computer as part of this function.

function Get-AuthorizationResponse{
	param(
	$user,
	$computer
)

You need to return a response object that gives AMS the permissions you want to apply for the user AMS supplied, in the context of the computer provided.

If users are being granted access to all computers, it must be because the logic in your script is returning the response object that says to give them access.

As we understend first AM takes $response values to see what privilages we set, in second step AM need to know which computers are affected and next what user - all this things we should put inside variable and put inside $response?

You dont need to set the user or computer, AMS has already done this. The script is run every time a user makes a request, and the requesting user is in the $user variable, and the requested computer is in the $computer variable.

You just need to perform the access evaluation on that user and computer combination, and return a response for that user and computer.

[sylwester-majcher]

Hi,
we have tried to modify this example script and no success.
We have in our team one Guy who read lot of tools in powershell languge but we still dont undestend how AM works with this kind of custom script.
Normally by GUI we must set target and permission to this target by choosing user and granding permission for laps pwd or jit ot bitlocker etc...allow or deny. Ok
By custom script inside the function we can set permissions by giving false or true but what issue we have is how to set a target as specific group of computers(this group not like a security group from AD but our list of computers separated by ; or ,) for specific user the same as we can do by GUI.
The goal is to avoid creating tons of small security groups with computer objects or tons of rules in AM if for example User1 wants to have access to laps password only for two computers.

[ryannewington]

Send me your script and I'll take a look - [email protected]

[sylwester-majcher]

you know we normally have tried to edit example's script from "C:\Program Files\Lithnet\Access Manager Service\config\scripts" from LAPS AM server as below or your suggestion from 14 february. we normally've tried to edit these two scripts and change for example variables like $myUser = "domain\username", $myComputer = "domain\computer$" to put as a fix data user account and computer names etc.

function Get-AuthorizationResponse{
param(
$user,
$computer
)

# See https://go.lithnet.io/fwlink/oyotjigz for help

Write-Information  "We're in PowerShell!"
Write-Information "Checking if $($user.MsDsPrincipalName) is allowed access to $($computer.MsDsPrincipalName)"

# Create an object to hold our authorization decisions
# Set IsAllowed to true to allow access, or set IsDenied to explicitly deny access, or leave both as false if no decision was made. This will allow other rules to be evaluated.
$response = [pscustomobject]@{
	IsLocalAdminPasswordAllowed = $false
	IsLocalAdminPasswordDenied = $false
	IsLocalAdminPasswordHistoryAllowed = $false
	IsLocalAdminPasswordHistoryDenied = $false
	IsJitAllowed = $false
	IsJitDenied = $false
	IsBitLockerAllowed = $false
	IsBitLockerDenied = $false
}

# Return the authorization response to Access Manager to process
Write-Output $response;

}

[ryannewington]

I'm not sure I understand the question here @sylwester-majcher

If you are still having trouble, please email me the script, it will be much faster for me to figure out what is happening if I can see what you are doing.