Users in multiple security groups overwriting permissions?

plouis
New Contributor

I need to give my end users the ability to enroll their own devices, or at least let me assign their AD username to a device that I'm enrolling. To facilitate this, I have added in my office security group to the JSS User Groups with their privileges set to "Enrollment"

I'm an admin, so I'm both a member of the IT security group, AND the office security group. The admin group is assigned Administrator level privileges.

Today I log into the JSS and my personal account (the one in the admins group) has no administrative access at all. It appears that adding in the office security group has overwritten the admin security group, leaving me with no admin access on my account. This is yet another AD issue that I'm having with 9.93. Can anyone tell me if I should be approaching this differently, without having to add in hundreds of users individually?

1 ACCEPTED SOLUTION

davidacland
Honored Contributor II

Are you using "User initiated enrollment" via the web page (/enroll)?

If you are, that wouldn't need them to be added in JSS users and groups, they just need access in the user initiated enrollment section.

Not sure on the actual issue though I'm afraid. It sounds like it's going with first match of the group and finding the lower access security group first. I havent tested it but this would be odd behaviour, or at least opposite to almost every permissions system out there!

View solution in original post

2 REPLIES 2

davidacland
Honored Contributor II

Are you using "User initiated enrollment" via the web page (/enroll)?

If you are, that wouldn't need them to be added in JSS users and groups, they just need access in the user initiated enrollment section.

Not sure on the actual issue though I'm afraid. It sounds like it's going with first match of the group and finding the lower access security group first. I havent tested it but this would be odd behaviour, or at least opposite to almost every permissions system out there!

plouis
New Contributor

Yeah, but the only way I can get the enrollment system to "see" users (aka provide the little green check next to their AD name when I'm walking through the enrollment steps) is to have my office OU added into the JSS. If I dont I can only add in admins, the only other group added in via AD.

Thanks David.