-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
Standalone, Linux server, JDK 1.5.0. The PDC is running Windows Server 2003.
-
1
-
4
-
Original description:
When I create an AD group from Crowd, I get a "non-security" group (sAMAccountType == samNonSecurityGroupObject, groupType == [ GlobalScope ]). The groups I create from within AD are security groups (sAMAccountType == samGroupObject, groupType == [ GlobalScope, Security ]). The non-security groups don't work for restricting access to things using AD without involving Crowd.
I think it would be better if Crowd out-of-the-box would create security groups.
Distribution groups are required for nesting, but we should have option to use security groups if nesting is disabled.
[CWD-1788] Provide option to create AD security groups instead of distribution groups
Colleen Velo
added a comment - I am also experiencing the same issue when trying to create groups
via the Crowd Console against an a Crowd Windows Active Directory.
- Crowd 2.0.7
I agree with Andrew Moise's sentiments - allowing for creating of
groups that can't be used for authentication is fairly useless.
Colleen Velo
added a comment - I am also experiencing the same issue when trying to create groups
via the Crowd Console against an a Crowd Windows Active Directory.
Crowd 2.0.7
I agree with Andrew Moise's sentiments - allowing for creating of
groups that can't be used for authentication is fairly useless. 
Andrew Moise
added a comment - According to http://technet.microsoft.com/en-us/library/cc776499(WS.10).aspx (and the behavior of my Crowd installation 
you can nest security groups if the functional level is set to "Windows 2000 native" or higher. Since AD groups Crowd is dealing with aren't good for much if they aren't security groups, I would recommend updating the docs to recommend changing the functional level if you want nested groups, instead of giving people groups that are going to silently not work for authentication (regardless of whether those people are nesting groups or not).
Andrew Moise
added a comment - According to http://technet.microsoft.com/en-us/library/cc776499(WS.10).aspx (and the behavior of my Crowd installation you can nest security groups if the functional level is set to "Windows 2000 native" or higher. Since AD groups Crowd is dealing with aren't good for much if they aren't security groups, I would recommend updating the docs to recommend changing the functional level if you want nested groups, instead of giving people groups that are going to silently not work for authentication (regardless of whether those people are nesting groups or not). 
David O'Flynn [Atlassian]
added a comment - Hi Andrew,
We switched to creating distribution ("non-security") groups in Crowd to allow nested group support. You can't nest security groups. We should probably, however, allow admins the option to select which kind of group is created.
I'll update this issue to reflect that.
Cheers,
Dave.
Crowd Product Manager
David O'Flynn [Atlassian]
added a comment - Hi Andrew,
We switched to creating distribution ("non-security") groups in Crowd to allow nested group support. You can't nest security groups. We should probably, however, allow admins the option to select which kind of group is created.
I'll update this issue to reflect that.
Cheers,
Dave.
Crowd Product Manager 
Please consider adding this to the next release of Crowd. As you can see from Andrew's link, it is possible to nest security groups in AD and would be the preferred method.