1

I need to authenticate AD users logging into their workstations only if they belong to the security group AT THE MOMENT OF AUTHENTICATION. They're being added to this privileged group right before they actually put in their passwords (they need to meet certain requirements), then they log on, and after a minute they're being removed from the group.

I thought I could make it with "Log on Locally" GPO - and it almost worked, until the user was removed from the privileged group. This is when he lost access to shared resources.

So my question is - how to affect ONLY authentication process (not the whole interactive session) using security group membership. I care whether he's a member of this privileged group only at the moment of authentication.

Thank you for any suggestions.

Mike
  • 11
  • 1
  • Group membership changes usually require the user to log off and log back on again before they take effect. What are you actually trying to achieve? There might be an alternative/better way of doing what you want. – Bryan Jun 04 '13 at 11:32
  • Hi Bryan. There's a group of users which are denied workstation login by default. If they need access, their supervisor enables it for them in a limited time period. Let's say they have 1 minute window of time within which they can auth.. After that time, they're still able to use their workstations until they log out. But they can't open another session (let's say on different workstation). I can imagine that injecting something into Kerberos Authentication Service would do the job, but I'd like to do it as least invasive as possible. That's why I thought security groups would be suitable. – Mike Jun 04 '13 at 12:52
  • But you also want persistant resources that may require later auth, eg. shares to work too? – JamesRyan Jun 04 '13 at 13:38
  • Yes, ideally - once the user is authenticated during logon procedure all further resources should be granted. – Mike Jun 04 '13 at 14:32

1 Answers1

2

Active directory doesn't quite work that way. You authenticate to the domain controllers many times throughout your session, not just for the initial login, but also every time you access a remote resource (file shares, network printers, terminal servers, intranet sites, etc).

So they have the group permissions when they login, but once they are taken away, they go to authenticate to the file server, and (correctly) no longer have the appropriate group membership, so get denied access.

It's a fairly odd requirement, but this might work:

  • Create two groups, "group-permissions" and "group-login"
  • Give log on locally permissions to "group-login"
  • Give all other permissions, such as network shares, to "group-permissions"
  • Add the user to both "group-permissions" and "group-login"
  • Remove the user from "group-login" after 1 minute
  • Optionally, remove the user from "group-permissions" after a day or hour or whenever they should be done on the computer

You will need to use the "group-permissions" group for anything that they reauthenticate against during the session - intranet sites, file shares, etc.

This way, they maintain one group membership for the entire session, but can't login locally a second time. If you allow remote logins (ie to a terminal server or something), you would probably need to use the "group-permissions" group to allow login remotely, so they can reconnect if disconnected.

Grant
  • 17,671
  • 14
  • 69
  • 101
  • Hi Grant. Thank you for trying to help. Unfortunately the scenario you proposed didn't work. When the user was removed from the "Log on locally" group it was treated as a an intruder and revoked access to all resources right away (no matter what permissions he had). I figured out there was another GPO responsible for that - "Enforce User Logon Restriction" (within Kerberos section). Once disabled - worked as a charm. From now on my access to resources depended on the lifetime of Kerberos ticket ("Maximum Lifetime for service ticket" in Kerberos section). – Mike Jun 12 '13 at 07:53