UNAB - temporary user AD groups
search cancel

UNAB - temporary user AD groups


Article ID: 272904


Updated On:


CA Privileged Access Manager - Server Control (PAMSC)


We try to use Active Directory property to grant temporary a user to an AD, it is removed from AD but still in unab



Release : 14.1


We try to use Active Directoyr property to grant temporarly a user to an AD group like :

=> when right is grant => no problem, UNAB get it.

But after the end of TTL
=> we can the this is no more granted in Active Directory
but it 's always get by UNAB on UNIX server
I even try to remove UNAB database *.db on my unix server to be sure to be up to date on the server :

=> we can see my user have always T1_DV_GG_CAACCTRL_GA_LXDV0010PV group
whereas if I try to make an ldap search, I don't see it.

How to explain this ?
How UNAB get all groups of a user ?
Could you provide the ldap query use by unab  to get this information ?


This is a Microsoft bug, more than creating a fix in UNAB we will wait for Microsoft to fix it.

SE found that manipulating temporary group membership in Windows (we used instructions form a Microsoft article on how to enable the feature and set timed membership), breaks the behavior of their mechanism to search in nested groups.   The control no longer works as described in their own recommendation, which was issued for AD earlier (see below) and which was coded into uxauthd to ensure that a full search is performed.    


"To get a recursive search, or to have AD check relations, extra properties need to be included to the filter. In this case, the string 1.2.840.113556.1.4.1941 will need to be added. According to Microsoft:

The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all 

the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above)."


This looks like a bug to SE since a user who was for a bit in some group is no longer in groups he is shown as member of as per Microsoft information and - as expected - those groups are not shown in ADUC.

Microsoft will have to fix this behaviour.