Overview

PFA will allow customers to update permisssions on Active Directory object by setting the correct values on specific attributes. Initial implementation is focused on Organizational Units.

Parameters

1. Define <action-attribute> for query
   • utexasEduAustinBool1
   • Value must be true to grant permissions
2. Define <permission-attribute> for query
   • utexasEduAustinSingle11
   • Value must be one of the existing Delegation values
3. Define <targets-attribute> for query
   
   • utexasEduAustinMulti11
   • Values must be DN of a group object
4. Define <reports-attribute> for results
   • utexasEduAustinMulti12
5. Define <object-class> for query
   • organizationalUnit
6. Define <container> as search base for query
   • OU=Departments,<domainDnsRoot>

Pseudo-code

1. Query for <object-class> in <container> where:
   1. <action-attribute> is true
   2. <permission-attribute> has a value
   3. <targets-attribute> has a value
2. For each object found in previous step...
   
   1. Grant <permission-attribute> delegation on object to each principal in <targets-attribute>
   2. Update <reports-attribute> with "<timestamp>;<add/remove>;<delegation>;<DNs>"
   3. Clear <action-attribute>, <permission-attribute>, <targets-attribute>
3. Create scheduled task on ADFS servers to perform query every hour
   1. Run as dedicated GMSA
      1. All permissions actions taken by known account
      2. Password of account managed by domain
   2. Leverage HostCheck
      1. Avoid duplication of work

Expansion options

• Set <action-attribute> to false to remove a delegation
• Allow <permission-attribute> to be SDDL
  • SDDL must be checked for prohibited permissions
• Add Reset as a delegation to reset permissions on an OU
  • Ensure that <DEPT>-Permissions are restored after a reset on a department root.