Open for Voting

Allow Conversion of User Account from AD Group to AD User and visa versa

To make it simpler to manage my Orion environment, I add most users using AD Groups.  This works great until you want to enhance rights for a single user in that group.  Usually that is just a temporary change where I want to revert the user back once they finish the project they are working on that requires the additional permissions.

Example:  This weekend we have major work taking place in our main Data Center.  None of our Orion Admins are available to "Pause all alert actions" while that work is taking place.  By default, I do not grant that right to anyone but our Orion Admins.  I would like to temporarily grant that right to one of the Orion Users, currently in an AD Group, and then revert that user back to the AD Group permissions after the weekend.

The process, according to SolarWinds Support, would be to remove the User's entry from the database and then add them back as an AD User.  After the work is complete, then the AD User account would be removed so that the User is again logging in under the AD Group.

This used to be a much easier process and, I would guess that, it is now more difficult because of enhanced security of the platform.

As an Orion Admin, there should be a built in way to temporarily, or even permanently, grant additional rights to a specific User in an AD Group while continuing to have that user assigned the other rights that come with the AD Group.  I am thinking that on the "Windows Groups" tab, the Group would have a dropdown (similar to that of Orion Groups) that lists the Users that have logged in under that Group.  Then have the ability to Edit that single User's Account to alter the rights.  Maybe even have an expiration date to allow temporary User level rights to revert back to AD level Group rights at expiration.

Parents
  • It's been many years since I had to do something like this, but I was wondering if the same process would work for you.

    I had an AD Group (let's call it "Orion SuperUsers (Temporary)" for the sake of argument).  In that group I would have people with escalated rights for a set time.  Then I just made sure that group was listed above their "other" group.

    The Manage Windows Group Accounts page says:

    Add Windows groups (Active Directory or local) to Orion. Any member of the group account will be able to access Orion with appropriate permissions and assigned views. If a user is a member of multiple group accounts, the group account highest in the list below will be applied. (A user will only receive permissions and views from a single group account.)

    Emphasis added by me.

    This puts the management of the group members on the Identity Management (or whatever you call your Active Directory) team.  We used to have alerts when people moved in or out of a group like this and a report that would enumerate the membership of the group.

    If I'm not understanding the request, then by all means tell me and I'm happy to remove this comment which may muddy the waters, but what we'd like to avoid (as much as possible) is to move AD-type user and group management into the Orion platform.

Comment
  • It's been many years since I had to do something like this, but I was wondering if the same process would work for you.

    I had an AD Group (let's call it "Orion SuperUsers (Temporary)" for the sake of argument).  In that group I would have people with escalated rights for a set time.  Then I just made sure that group was listed above their "other" group.

    The Manage Windows Group Accounts page says:

    Add Windows groups (Active Directory or local) to Orion. Any member of the group account will be able to access Orion with appropriate permissions and assigned views. If a user is a member of multiple group accounts, the group account highest in the list below will be applied. (A user will only receive permissions and views from a single group account.)

    Emphasis added by me.

    This puts the management of the group members on the Identity Management (or whatever you call your Active Directory) team.  We used to have alerts when people moved in or out of a group like this and a report that would enumerate the membership of the group.

    If I'm not understanding the request, then by all means tell me and I'm happy to remove this comment which may muddy the waters, but what we'd like to avoid (as much as possible) is to move AD-type user and group management into the Orion platform.

Children
  • Hey Kevin,

    Yes...  I thought about something like this but the problem is I don't have Active Directory rights so I cannot shift users around as needed using this approach.  The Orion product really should make it easier to do this within the Orion product itself.  That would make it much easier for Orion Admins like myself who are dedicated Monitoring Admins and not Active Directory Admins.