Mapping privileged accounts to regular accounts based on different attributes

Question

From what I can tell, dedicated account mapping (e.g. KB0017035) the only option available is to map the exact same attribute in both domains. For example,

employeedomain\user1 has attribute1 set to “user1”

privilegeddomain\admin1 has attribute1 set to “user1”

to drive the mapping via smart rules.

However, that implies that modifying attribute1 in employeedomain to a different value, say, “user2” would grant user1 access to user2’s privileged resources, giving domain1 authority over a privileged domain’s access.

What I want to be able to do is have privilegeddomain\admin1 attribute1 set to “user1”, and map that to employeedomain\user1’s name field (or samaccountname, or SID - something not modifiable without breaking the employeedomain\user1 account).

Is that possible?

quinn · Answer

Looking further into it, I think the only way would be to require the privileged accounts to contain the same name with an appended suffix.

In the example above, the privileged account could not be “admin1”, but would have to be variations on “user1” - so “user1-admint0”.

But in that scenario, I don’t know if I can do one-to-many mappings without multiple smart rules.

Mapping privileged accounts to regular accounts based on different attributes

1 reply

Badge Earners

Badge Earners

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded