Adding External AD Groups

Hi,

We are creating External AD groups in Octopus to restrict the access to our space.
It works fine when we grant access to an External AD Group that has a list of users, but when we grant access to an External AD group that has a list of AD groups it does not work.

Can we add an External AD Group that contains a list of AD Groups?

Kind Regards,
Micheal Power

Hi @mikepower79,

Thank you for contacting Octopus Support.

Is it possible that these groups are Distribution Groups and not Security Groups? According to our documentation:

Assuming the login is successful, Octopus Deploy will create System.DirectoryServices.AccountManagement.UserPrincipal object to query group membership. Group membership query in this order of operations:

  1. First call GetAuthorizationGroups as that does a recursive search and returns security groups only.
  2. If GetAuthorizationGroups() fails (for a variety of reasons), then run GetGroups. The downside of GetGroups() is it only returns groups a user is a direct member of and includes distribution groups. Octopus Deploy ignores distribution groups.

We have a PowerShell script for testing groups that mimics how Octopus performs this lookup that may be helpful:

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement")
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.ActiveDirectory")
$principalContext = new-object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext "Domain", "acme"
$principal = new-object -TypeName  System.DirectoryServices.AccountManagement.GroupPrincipal $principalContext
$principal.Name = "SomeGroup*"
$searcher = new-object -TypeName  System.DirectoryServices.AccountManagement.PrincipalSearcher
$searcher.QueryFilter = $principal

$groups = $searcher.FindAll().GetEnumerator()

foreach ($group in $groups) {
    Write-Output $group
}

$principalContext.Dispose()

Let me know your thoughts at your earliest convenience.

Best Regards,
Donny

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.