Share via

MiM/PAM Nested Groups

Najwan Khazem (MEA) 1 Reputation point
2021-06-02T10:03:27.407+00:00

Hi we have a PAM setup in which we have bastion forest deployed the same way as per Microsoft documentation.
All is good however we are applying the administrative tier model as well.

in the production forest we have a created a group named "Tier 0 Admins" and it is part of the domain admins.
so any member of T0admin can fully manage the domain.

To apply the PAM concept we have created a PAM group called "Tier 0 Admins" and created a Privilege account in the bastion forest named priv\priv.T0admin

we have remove the T0admin from Tier 0 admins group and and initiated a PAM request that is successful.
We logged in to the DC using priv\priv.T0admin and we can see whoami \groups that T0admin is member of "Tier 0 Admins"
However this user does not have the privilege of the "domain admins" and it seems PAM does not support nested groups in this case. Does any one faced a similar issue and is there any documentation from MS in this regard.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
692 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tom Houston 176 Reputation points
    2021-06-15T12:12:01.23+00:00

    Hey anonymous user,

    Yes it would appear that only direct memberships in PRIV shadow principal groups are enumerated in the CORP forest. I don't know if this is the intended design or a bug.

    Another approach would be to transition the Domain Admins group from the CORP forest to the PRIV forest and include it as a privilege within the PAM role. 

    New-PAMGroup -SourceGroupName 'Domain Admins' -SourceDomain 'corp.contoso.com'

    Hope this helps.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.