We have our teams setup to use AD groups, however when we add a new person into an existing AD group they do not get the permissions they should have.
We are using Octopus 3.8.8.
We have tried:
- Re-Creating the Octopus user
- Re-Creating the Octopus team
- Restarting the Octopus server service
- Restarting the Octopus server (windows machine)
I’ve had a look in the octopus database, and can see in the Json that the “SecurityGroupsLastUpdated” is very recent (within last 10 minutes) however, the security group ids do not match that of another user who is in the same AD groups.
Can you please assist with this.
Having looked into this issue further ourselves we have come up with a solution to the problem which we thought we would share in case anyone else has this same problem.
The issue was AD permissions.
TL;DR: Octopus service account did not have permission to read group membership.
To elaborate, our Octopus Server service logs on as "domain\OctopusSvrSvc"
This user is in the default “Domain Users” group, so can see membership of that group.
However, it cannot see membership of users in other groups.
Although, it can see the groups, and the members of the group it cannot see which groups a user is in.
(essentially, when looking from a group, it works, when looking from a user it does not).
This issue was caused by a restructure of Active Directory OUs which meant that the default “Authenticated Users” read permission on all objects was missing.
To fix this, we created a new security group for service accounts and added read permission at the top level of the domain.
Read permission was for “this object and all decedent objects”
Thanks for getting in touch and sharing your fix for this problem! This is valuable information to know, and I’m sure it’ll benefit users who may have this same issue. We’ll also expand our Troubleshooting Active Directory Integration page in our docs to include this information
Thanks again and best regards,