'How do I assign specific permissions to groups in AD for different applications?

The question might sound a bit vague, but I wasn't sure how else to word it. I've had little experience with AD but people have always explained it similarly to how you apply folder permissions but that still doesn't answer the question for me. To put it into some context, how would I restrict a certain group to say deploy workstations in SCCM and another to only deploy applications. Or another example would be a group with only Read permissions when using Microsoft Visio and another group with read and write permissions

active-directory


Solution 1:[1]

• Every application that requires the services of Active Directory must integrate with AD, i.e., open the required LDAP and Kerberos protocol ports with respect to inbound and outbound communication to happen with AD for that application. Once done, then ensure that the application uses LDAP authentication for retrieving the details required for authorized and validated response from a Public Key Infrastructure (PKI) server, in this case, Active Directory Server.

• Then, when you configure the access for the API of that application, ensure that the required groups and users are selected for access to that application. Like for example, if you want certain groups of your AD environment to have access to your Anti-virus software server, then you will have to configure the same in that application’s Master server or EPO Server. Thus, as you said, in case of SCCM, if want to allow only a certain group of users to deploy workstations in SCCM and another to deploy applications through it, then you will create a custom security role in Security ? Administration workspace of SCCM console wherein the required role will be created and accordingly permissions will be set for those IDs regarding the role they need to perform.

• Thus, SCCM has inbuilt functionality to grant specific permissions relating to the various tasks that it supports according to which roles are created. Hence, permissions for different groups in Active Directory depend on those applications which want to integrate with AD and its authentication mechanism.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 KartikBhiwapurkar-MT

Related Questions

List users from specific groups

.NET Core 6 Windows auth and Active Directory group based permissions

Reading the SECURITY_ENABLED flag of Group in Active Directory

How can I pull Mail Contact groups for each contact with powershell?

Tomcat Manager - Active Directory Authentication

Java: Connect to Active Directory via serverless binding?

What is a more modern .NET library to use with Active Directory than System.DirectoryServices.AccountManagement?

Search Outlook Global Address List Asynchronously

Unable to retrieve cross domain users with get-adgroupmember -recursive

How to Bind asynchronously with LdapConnection

When generating a unique username in Active Directory, numbers do not increment correctly

Powershell Creating Password Expiration Report

Show "Microsoft Active Directory" information table in WordPress

Do we need Active Directory Domain Controller to run any PowerShell commands?

How do I solve error with Active Directory Search using user name