What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Understanding Active Directory an authentication in the PRTG Tree

Votes:

0

I am trying to understand the active directory and authorization best practice. Normally, I would take our AD group that contains everyone, lets call it "Company", and give them Read only access to the Root as the default so that everyone can view the whole tree.

I would then assign specific AD groups to specific App groups and/or devices that would have Read/write access.

What I am seeing is that when someone logs into the system, they are assigned the "Company" group as their primary group.

It seems once they are assigned that as their primary group, when they go into an app group where the AD app group is assigned for R/W access, it only allows them Read access.

Is this the way PRTG works with active directory?

What are my options for this? I want everyone to be able to see everything, but I want some groups to have R/W access to their area to be able to manage their own devices and alerts.

Thank you!

active-directory authentication group-authentication groups

Created on Mar 13, 2020 9:45:45 PM



5 Replies

Votes:

0

Hi batsonp,

Thank you for the post.

It's actually possible to have PRTG -Users, that were created with the AD-Integration, be in more than one PRTG-Usergroup.
The key is, to have the according AD-User also be member of two AD-Usergroups, and then link both AD-Usergroups into two PRTG-Usergrups. For example, say AD-User1 is member of the AD-Usergroup "Company" and AD-Usergroup "App Group", if you create the same usergroups now in PRTG "Company" and "App Group", and link them accordingly to the AD-Usergroups, the user will then be member of both, when he logs in.

Created on Mar 16, 2020 7:42:38 AM by Moritz Heller [Paessler Support]



Votes:

0

From what I see with AD group membership, a user can be a member of multiple AD groups. But when they log in, it assigns a primary group to the first AD group in the list, that is apparently determined by alphabetical sort of the AD group names in PRTG.

For instance, I have two groups, AD_Company, and AD_Samplemgr. AD_Company has read only at the root, so everyone can see all the devices. When a user logs in the first time, they will be assigned the primary group of AD_Company. I have a group called Sample_mgr with devices in it and I have assigned the AD_Samplemgr group as Write. But no one is able to make any changes because the primary group they are in is the AD_Company group. If I turn off inheritance on the Sample_mgr group, remove the AD_Company group from Read, and only allow the AD_Samplemgr group RW access, the users can no longer see the Sample_mgr group with its devices.

I have tried creating local PRTG groups, but I don't see how I can add people from the Active Directory groups to the PRTG groups.

It seems like what I want to do is not possible. If a person is part of multiple AD groups, then the AD group highest in the alphabetical sort is going to be their primary group. I'm trying to get away from us managing specific groups in PRTG or in AD.

Any help understanding how groups work in PRTG would be appreciated! Thanks!

Created on Mar 16, 2020 6:35:01 PM



Votes:

0

Hi batsonp,

If you want to have one AD user in two PRTG AD User Groups, you need to add the AD user to two AD groups. Afterwards, you need to create two PRTG AD User Groups and each of these groups have one AD Group (where the user is added) configured. For example:

AD-User-Group1: User 1
AD-User-Group2: User 1

In PRTG:

PRTG-AD-Group1 <- linked -> AD-User-Group1: User 1
PRTG-AD-Group2 <- linked -> AD-User-Group2: User 1

Created on Mar 17, 2020 7:54:58 AM by Moritz Heller [Paessler Support]



Votes:

0

I'm not understanding what you mean by this:
PRTG-AD-Group1 <- linked -> AD-User-Group1: User 1
PRTG-AD-Group2 <- linked -> AD-User-Group2: User 1

My issues aren't with adding an AD group into PRTG. My issue is getting the permissions to work as I described above.

How do I give everyone in the company the ability to view all the devices/sensors, but limit the Read/Write to specific device groups to a different PRTG AD group. Is that possible? It doesn't seem to be. The active directory groups are already in use in the company, and users are part of many different AD groups.

So in your example above I want PRTG-AD-Group1 to have read access from <Root> so that they can see all the devices and sensors. PRTG-AD-Group2 would have Read/Write access to a specific Device Group.

But when they try to do any editing in the device group that PRTG-AD-Group2 is assigned, they only have read only access.

If I turn off inheritance to the device group and set PRTG-AD-Group1 as no-access, then they can't see the device group anymore. Which makes no sense if I have turned off inheritance to that device group.

I hope that clarifies what I am experiencing. Thank you!

Created on Mar 17, 2020 6:55:45 PM

Last change on Mar 18, 2020 8:57:02 AM by Moritz Heller [Paessler Support]



Votes:

0

I figured it out. I'm not sure why I missed this. Maybe it needs to be clearer in the documentation.

Users have read only and read/write access.

If a user has RO, it doesn't matter what the group access level is set to. The user will be in RO mode for everything.

If a user has RW, the group access level will determine whether that user can make changes. The user may have R/W access, but if the group access level says read only, the user will only have RO access, even though the blue + still shows up, they will not have the ability to add/change sensors.

Thank you for trying to help. I hope this helps someone in the future.

Created on Mar 17, 2020 7:52:37 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.