AD group membership not showing change event when user is deleted - windows

I have an application which uses Dirsync to monitor the changes in AD. When I add/remove users to a group, AD creates an event for it. But when I delete a user from AD, it only create a changelog for user deletion. I don't get a changelog for "user removed from a group"
Is there some settings I can enable to view these kind of changes too?

When you delete an user, they are not automatically deleted from the group. Their SID is left lingering in the group membership unless you manually remove it. This happens to access controls as well, if you gave permission for a share to that user, you'll see a SID with no user information left on the share after you delete the user.
My organization adopted the policy of disabling users and moving them to a "Terminated Users" OU with a GPO attached that makes their session unusable if someone managed to re-enable the account. This allows us to avoid dangling SIDs and not have to worry about doing a full audit of group membership every time an employee leaves.
If you wish, you could do an audit once a year where you remove all permissions for a user, then delete the user, but I don't really feel it's necessary.

Related

A deleted testnet account gets fully restored

I'm currently playing some stuffs with Near (testnet) following an example on github/Learn-NEAR/starter--near-sdk-as.
I accidentally deleted my account - quantransedev. After that I re-created with the same account name with new passphrase of course. I noticed the newly created account had everything the old one had. It seemed like a restore account.
Is this an expected behavior? it doesn't make sense to me at all in terms of security. Please advise.
https://explorer.testnet.near.org/accounts/quantransedev.testnet
https://explorer.testnet.near.org/transactions/3GTFEzvTfDiAxm8fdpZeWP7NjRFTjFJaDYQNX6ANAUns
This is expected behavior - when you delete an account it does not delete all the things this account owns or controls. That needs to be done manually before account is deleted.
Account deletion just deletes the information about this specific account state on-chain.
When you recreate the account - it will actually be back to controlling whatever was linking to it by account id.
Generally, if you delete account - that name and things it owns are up for grubs for anyone else, so account deletion should be done very careful.
Filed two issues to improve experience here:
https://github.com/near/nearcore/issues/5816
https://github.com/near/near-cli/issues/900
The account had been deleted and the remaining funds were burnt since the beneficiary account did not exist (the account got removed before the transfer was initiated). You can also confirm that the account had actually been removed by reviewing the next transactions (deletion of other accounts with beneficiary account id set to quantransedev.testnet) did not succeed to transfer the remaining tokens from the removed accounts (the tokens got burnt).
You had had to re-create the account explicitly from scratch: https://explorer.testnet.near.org/transactions/CroKF7ipwM3fDgH5ogVrnWS6JSmnhvjkaJNDqiWzjsm2 to gain control over the account id. Before that moment, the account did not exist on the chain. Explorer, however, keeps track of all the ever-existing accounts on the network, which might have confused you.

Creating a security role to be able to only create roles and users without having system admin role

CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.

How can I easily add others to update my G Suite App listing?

I've looked all over the admin console, but can't find where to add other users so that they can edit our listing. Can you please provide a URL/link to where I should navigate?
You may want to check this support page. You can:
assign pre-built roles for performing common business tasks
assign custom roles you create for your organization
assign more than one role to a user to grant all privileges in those roles
Be noted that you must be signed in as a super administrator for this task.
The user typically gets their new privileges within a few minutes. However, it can take up to 24 hours. When they sign in to their account, they arrive at the Admin console dashboard. Here they see the controls allowed by their privileges.
Hope this helps!
I think you want to navigate to this URL while logged in as the app project owner:
https://console.cloud.google.com/iam-admin/iam/project?project=(add your project ID)
And assign roles to different users or groups.
you can use group publishing on the gsuite marketplace:
Set up Group Publishing
You can share ownership of your items in Google Chrome Web Store with other developers by setting up group publishing. With group publishing, you can add developers to a Google Group, who can then act on your behalf. They'll have access to all the items you own and can make any changes to them that you can make.
https://developer.chrome.com/webstore/publish#set-up-group-publishing
(each member of the group should pay the 5$ developer fee though.)
You can configure the group from your webstore dashboard.
https://chrome.google.com/webstore/developer/dashboard

How do I disable users in Teamcity?

If somebody has left my firm, how do I disable their account in Teamcity. I only see a delete option. I'll lose the configurations set by the user if I delete him right?
Is there a disable/Deactivate user option?
Currently it is not possible to disable a user. You can watch/vote for the corresponding issue in the bug tracker
The options you have now are:
Remove all roles/permissions of a user
Change user's password
Delete the user. This will not delete user's created items (projects, configurations, etc). The deleted user will be shown as 'unknown' on the UI

Deleting admin account in ObjectGears

After starting ObjectGears the first time I created administrator as the first user. I configured everything with this user and then imported other users.
Now I do not know if I can delete this user. I do not want to lose admin access.
You can delete it. The fact that some account is admin is set in the file web.configu in the parameter AdminLogins. So admin can be anybody who has the account included here.
You can also leave this parameter blank and then nobody will be able to change any configuration in the instance, supposing you also delete model owners.

Resources