You are viewing limited content. For full access, please sign in.

Question

Question

AD security group permissions do not appear to apply properly

asked on September 2, 2015

Awhile back, I created a Distribution Group in AD that has a list of all domain users that I set up as Named Users, by synchronizing with this group in the Licence Manager.  

What I've been trying to do is give this group read-only permissions to sections of our repository.  So what I've done is added a new group in Laserfiche (Laserfiche Users), and tied it to the same group in Active Directory (the same one we use for dictating licensed Named Users in the repository).  Despite giving this group read-only permissions to specific record series in the repository, and confirming this group has read-only as effective permissions, it doesn't appear the permissions apply to the actual group member themselves; this was confirmed by manually adding individual members to the group in Laserfiche, and seeing all folders where I'd added read-only for the group suddenly appear (after logging out and back in).

Hopefully I'm explaining this properly.  I'm just puzzled by the group permissions I've set, which are tied back to the AD group containing all Named Users, is not applying properly, despite the group having the correct effective permissions on the group level, but not the correct permissions on the individual (group member) level.  

(Ultimately I'm trying to make it so "Everyone" only sees a specified folder, or group of folders, while giving all Named Users read-only access to all public information to our employees...but not people outside of our organization.)

Thanks to anyone who can assist! :)

Marty Gaffney - Network Technician

Town of Okotoks

0 0

Answer

APPROVED ANSWER
replied on September 2, 2015

Laserfiche security doesn't support AD distribution groups -- you need to use security groups instead.

2 0

Replies

replied on September 2, 2015

So I've tried the following:
1) I've changed the AD Distribution Group to a Security Group.

2) I've moved the Security Group to the appropriate OU in AD.

3) I've removed the Laserfiche Users Distribution Group from the Laserfiche Licence Manager .

4) I've added the Laserfiche Users Security Group in the Licence Manager.

5) I synchronized with the Domain Controller manually.

6) In the Administration Console, I removed the group I had created for our Named Users.

7) I added the group back, selecting the Laserfiche Users Security Group from the list of results, saving my changes.

8) I added the Laserfiche Users group to the root of the repository, giving them read-only access.

Despite doing this, the list of folders that appear still seems to be the same.  Can you think of anything I might be doing wrong, perhaps not waiting long enough for the changes to take effect on the Domain Controller?

0 0
replied on September 8, 2015

I finally got this sorted out by referencing the domain security group directly, instead of referencing the Laserfiche group (which referenced the domain group).  Looks to be all good now... :)

0 0
replied on November 10, 2015
I have had a similar issue.
The AD groups were initially setup as distribution groups.  There was one main AD Group containing all other AD Groups requiring access to Laserfiche.  This main group had been synced within LFDS and all AD Users were appearing correctly in LFDS.
The other AD Groups were added to Admin Console with Feature Right and Privileges and were used to allocate Access Rights to folders within the repository.
Even though the AD Users were appearing in LFDS, and could be checked for access in the repository, they would not gain the correct Access Right that had been assigned by AD Groups.
 
We changed all of the AD Distribution Groups to AD Security Groups and re-synced the main AD group in LFDS.  The AD Groups in Admin Console and the repository were not changed.
 
The AD Users now have access to folders according to the access rights that were set within those AD groups.
 
0 0
replied on April 18, 2016 Show version history

I have a similar issue with security on our repository.  I want to allow users in my All Team Member AD group to have read only rights to specific folders, but within that All Team Member AD group are users who have modify rights to these same folders.

 

Since this All Team Member AD group is what assigns my users a named license, everyone getting a license must be in this group.  But if I assign this group read only rights in the Admin Console, then the users within this group are limited to their lowest rights which would be read only no matter what other rights I assign by putting them in another group on the same folders.

 

Looking for assistance on how to best address this.  Thank you.

Michelle

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.