• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 38 subscribers
  • Views 423 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Renaming an AD Group Used for Orion Authentication

kpieckiel

Greetings!  We use AD groups to control access to Orion in my organization.  One of our groups was named based on the name of a subcontracted company that was managing part of our infrastructure, but that company was replaced with a new one.  I'd like to rename the AD group to something company-agnostic.

Is there any advice out there on renaming a security group in AD in a way that won't freak out Orion?  If I rename the group in AD, will the new name propagate to Orion since the group's SID is unchanged?  Is it better to create a new security group and retire the old one?  How do I find all the places in Orion where the old group is used?

Thanks for your time!

Kevin

  • 0

    If it's just the SolarWinds Web UI that group has access to, then it's pretty straight forward. I don't think there's any official documentation out there on this but I have run through this before in different scenarios without issue.

    Had to make changes to both AD groups / individual accounts and SAML groups / individual accounts. The data lives in the same place in the SQL database table [SolarWindsOrion].[dbo].[Accounts] - assuming the default SolarWindsOrion is your database name.

    Here's some queries to get you started. When I changed these, there's no impact to services and it was seamless. As soon as the database was updated we could login with the new group info or accounts. Just be sure to backup your database prior to any changes -- test in dev if you can.

    -- Query accounts (I think groups are accounttype 3
SELECT a.AccountID, a.AccountEnabled, a.AccountSID, a.AccountType
FROM SolarWindsOrion.dbo.Accounts AS a
WHERE a.AccountType = 3

-- Update the Account ID
UPDATE a
SET a.AccountID = 'domain\newaccountID'
FROM SolarWindsOrion.dbo.Accounts AS a
WHERE a.AccountSID = 'currentSID'

-- Update the Account SID
UPDATE a
SET a.AccountSID = 'newSID'
FROM SolarWindsOrion.dbo.Accounts AS a
WHERE a.AccountID = 'domain\currentaccountID'

-- Update BOTH the Account ID and SID
UPDATE a
SET a.AccountSID = 'newSID',
a.AccountID = 'domain\newaccountID'
FROM SolarWindsOrion.dbo.Accounts AS a
WHERE ( a.AccountID = 'domain\currentaccountID' AND a.AccountSID = 'currentSID' )
  • 0 in reply to sum_giais

    While I mention this above... pretty sure official documentation (even if non-existent) would likely be to remove the existing groups or account and re-add them once they're changed so they take in the new SID and name. Thought worth mentioning.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.