JSS User Groups, Standard and LDAP

New Contributor

Is there a way (or a feature request) to add an LDAP group as a member in a standard group?

Our organization would love to have AD set tech groups that then get scoped to multiple Standard Groups that have site access.

-AD Groups: 'Silver' has Tech 1 and Tech 2, 'Red' has Tech A and Tech B
-Standard Groups:(site access) Eau Claire, Minneapolis, New York, San Francisco We'd want to add 'Silver' to Eau Claire and New York, and 'Red' to Minneapolis and San Francisco, so they'd have have site level access to each of those.

We have over 30 techs and a decent amount of movement so it'd be really cool to be able to just manage them in AD then have the group changes/access reflect in AD.

I hope this makes sense and any ideas are very welcome!



We do what you describe by using AD groups that have site access only and then manage group membership in AD. We have around 60 techs (in 6 teams and a service desk) and our environment is split into 15 JSS sites so I did not want to manage access in the JSS.

What we do is create AD groups that correspond to a role in the JSS (e.g. admin or auditor) and each site has one of each assigned. These groups have custom permissions that apply to all members. Once the LDAP groups are configured in the JSS you do not need to touch them and all management is done in AD.

Users can be part of multiple groups and permissions will apply as they move between sites - e.g. Tech1 can have auditor access in the "Staff" site but admin access in the "Student" site. As they move between sites they can use features accordingly.

The screenshot below might make a bit more sense.


You can also nest other groups in AD. - e.g. Group "Staff-Support" can be part of "JSS-Staff-Site-Admins". This way if a new tech joins the company and are part of that AD group, then they automatically have the same access as anyone else without you needing to maintain it in the JSS.

I hope this helps.

New Contributor III

@yan1212 I have a question currently i have my JSS setup the same way you do at the moment but my members display N/A but they are unable to log in even though when i run the tests in the LDAP User Group Membership Mappings check out. Is there any special setting needed for this?


@bjones I am experiencing the same issues.
I would like to bring AD groups into the JSS and configure site access to those groups.
For instance, if I bought in "service desk" OU from AD, all the users would be brought along with it so I wouldn't have to import individual accounts into the JSS.

Does that make sense?

Has anyone achieved this?