by ·2 Kommentare

Microsoft introduced a new feature back in 2016 called „time based group membership“ . Since then it is possible to add groupmembership with an expiration date.

There are plenty of examples on how to add a ttl to a groupmembership. I will only explain the basic mechanism on how to determine if a membership is time based or not.

After adding a time based membership you can check the groupmemberships with powershell by adding a ShowMemberTimeToLive parameter like this:

(Get-ADGroup -LDAPFilter „(CN=ROL-TEST-DIFEO)“ -Properties member -ShowMemberTimeToLive).member

The Result of the member field is mixed with normal memberships and time based memberships.

Time based memberships have the distinguishedname in the members field with an TTL prefix and look like this <TTL=xxx>,cn=difeo,ou=users… while xxx is time in seconds that this object remains in this group. These seconds count down to 0. After this, the object isnt member of this group anymore.

For flexibility we put groups into groups to summarize permissions to roles and not to persons. So it usual that a user has 3 groupmemberships with tons of groups with additional permissions. We cascade groups only one level to keep complexity under contol.

So my user difeo is in a group calles ROL-TEST. This group is member in a group called RES-TEST that binds the permissions to the resource.

Due to the lack of implementation for Active directory, a lot of systems can’t resolve groups in groups on LDAP level. We have such software in use and don’t want to make compromises in giving our users permission, so we use a special query called LDAP_MATCHING_RULE_IN_CHAIN that does the resolving job for us.

This query works pretty well, while being very slow. But in the end it does it’s job, unfortunately not for permissions with a TTL. If we do the query with LDAP_MATCHING_RULE_IN_CHAIN it will return all the users plus the users that has been added with a TTL, even when they shoudln’t be part of the group anymore. This break the permission model, because people still have access to things that they dont have to.

We opened a case for this one at microsoft and hope to get a fix for that.

Here are some powershell screenshots of this

Adding my users to ROL-TEST group with TTL of 2 minutes

Getting all members of this group (see my TTL membership)

Getting all members (none) again and then do the LDAP_MATCHING_RULE_IN_CHAIN query with the result of my user that isn’t part of the group anymore.

What I’ve missed here was querying the RES group, because this is the scenario we have (cascaded groups) but the result is the same

UPDATE 27.04.2023

Microsoft can reproduce this behaviour in their lab. They’ll keep me updated on this topic. Lets see when this will be fixed

Update 01.08.2023

Microsoft confirmed this as a bug and deploy a fix within the upcoming patchdays. All supported Windows Server (not extended support) will receive an update for this issue.

by ·19 Kommentare
Firefox Xmarks

Paul (Nickname Killerx) did a great job with developing the GPO add-on for Firefox called GPOFirefox.
There are a couple of Extensions out there, that handle the interface between Firefox and the Registry. That’s in case all you need to do, if you add some of these admx files around for managing Firefox through GPO. Since Paul stopped the development of the Gpofirefox add-on with version 5 of Firefox there are some things, that this add-on can’t handle.

First of all, there are some differences between this add-on and other add-ons like for example the one of Frontmotion, which isn’t really a add-on. It’s kind of build into the so called Community Edition of Frontmotion Firefox. The Frontmotion add-on lacks at some point, when you need to change more settings than just the defaults like browser startup homepage, or proxy settings. If you only need these few defaults, I would recommend to use Frontmotions version, instead of any other, because Frontmotion comes with a customized admx file for all default settings in Firefox. The point, where this is not enough is when you want to change settings for example of an extension. Because Frontmotions admx file doesn’t support custom settings, so you can’t handle this.

Lets explain, how these GPO add-ons work.
Frontmotion offers an admx template that can be imported to your active directory gpo manager, to change all default settings. In the background, everything is done by writing some strings to the registry. Firefox reads these values and changes them locally in your running Firefox (about:config). That’s it. So, to test these add-ons, all you need to do is just open your registry editor and go to \HKLM|HKCU\software\policies\mozilla\defaultpref|pref|lockedpref (depending of kind of GPO add-on you are using). Here comes the gap.
Frontmotion doesn’t support any other values than the default settings of Firefox. Although this is really long list, but you are not able to control any setting that doesn’t belong to the default set of Firefox. Even if you set custom settings in your registry, they aren’t noticed! GPOFirefox does support these custom values, but lacks at some point as well. For example, if you want to use xmarks with your own server, you can set extesnions.xmarks.useOwnServer to true.
After putting it to the registry it looks like this:

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\defaultpref] "extensions.xmarks.useOwnServer"="true"

This setting only applies to your Firefox (about:config) if it already exists in your about:config list. Otherwise it is dropped and you can spend hours to check your settings until you notice, that it is not provided to set not existing values. Why is that? GPOFirefox reads all of your values without any limitation. After reading, the add-on tries to change these values in Firefox. Because Firefox has different types of variables, (string, integer, boolean) it first reads the variable type (in your about:config list), to set the correct variable type and its value. That means, if your add-on tries to set a value that doesn’t exist in Firefox already, it can’t determine the variable type and wont write your setting to Firefox. Pretty uncool.
After extracting Pauls add-on I extended it to the ability to write a setting to Firefox even if it doesn’t exists. This is done by checking, if the value exists (like before) and if it doesn’t exists, the add-on tries to detect, what type the value is. If your setting extensions.xmarks.useOwnServer doesn’t exist, my code extension checks the value (in this case the value is „true“) and writes a Boolean preference to Firefox.
I stumbled across another problem, which is a bug in the add-on. If you try to set a Boolean value that is „false“, e.g. to turn off the telemetry stuff in Firefox the add-on sets this value to true. I think this happens, because the used function to create bool settings in Firefox needs an bool parameter and not a string parameter like the add-on uses. Maybe the setter function checks if the committed parameter is Boolean by checking it like „if (parameter) { write true } else { write false}“.
In this case every string is interpreted as Boolean:true and leads to this wrong behavior!

Because I don’t want to hurt any copyrights and to respect Pauls great work I only publish some instructions on how to extend the add-on by yourself.

First of all you need three Things:
– 7 Zip
– Firefox (my Version is 24)
– The gpofirefox add-on (https://add-ons.mozilla.org/de/firefox/add-on/gpo-for-firefox/)
1. Use 7Zip to extract the XPI File
2. Go to the extracted folder and open the chrome folder
3. Use 7Zip to extract the gpofirefox.jar
4. Delete gpofirefox.jar
5. Modify the file gpofirefox.js in <extracted-extension-folder>\chrome\gpofirefox\content\ (difference between original and modified)
6. Mofify <extracted-extension-folder>\chrome.manifest ( difference between original and modified )
7. Go to <extracted-extension-folder> and Select „chrome“, „defaults“, „chrome.manifest“, „install.rdf“ and use 7.ZIP -> Add new archive (zip)
8. Rename the created zip file to gpofirefox@extensions.org.xpi
9. Install your add-on (or copy it to extensions folder) Renaming and modifying the internal add-on structure is to simplify the add-on for further changes

Please leave me a comment. I’m actually thinking about creating an add-on like this with some further functionality like adding the ability to write to sqllite databases (popup blocking), replace / update files in the profile and so on. Everything controlled by the registry via group policy AD Things .
For testing purpose you can use a registry file like the below one.

Keep in mind, that these settings are only for the CURRENT_USER. If you want to set everything machine wide you have to rewrite the reg file to HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER


Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Mozilla]
[HKEY_CURRENT_USER\Software\Policies\Mozilla\defaultpref]
"browser.startup.homepage"="intranet"
"browser.search.suggest.enabled"="false"
"browser.shell.checkDefaultBrowser"="true"
"browser.tabs.warnOnClose"="false"
"extensions.zotero.firstRun2"="false"
"signon.rememberSignons"="false"
"startup.homepage_override_url"="intranet"
"extensions.pendingOperations"="true"
"extensions.xmarks.username"="marco"
"extensions.xmarks.sync-tabs"="true"
"extensions.xmarks.syncOnShutdown"="1"
"add-on.disable_full_page_add-on_for_types"=""

[HKEY_CURRENT_USER\Software\Policies\Mozilla\lockPref]
"datareporting.healthreport.uploadEnabled"="false"
"toolkit.telemetry.enabled"="false"
"toolkit.telemetry.prompted"="2"
"toolkit.telemetry.rejected"="true"
"privacy.donottrackheader.enabled"="true"
"extensions.update.notifyUser"="false"
"browser.search.update"="false"
"browser.rights.3.shown"="true"
"extensions.blocklist.enabled"="false"
"extensions.autoDisableScopes"="0"
"extensions.zotero.firstRunGuidanceShown.saveIcon"="true"

If you want to add your settings to a GPO, open the Group Policy Management and edit your current / create a new GPO object. Now you have to choose if you want to create registry entries for user (user configuration) or computer (computer configuration). Afterwards choose [ Settings -> Windows Settings -> Registry ]. We decided to create two sub folders, one for locked pref and one for default pref, as shown here:

GPO Firefox Registry Settings

GPO Firefox Registry Settings

Next step: Create a new registry element at the right side. This could look like this:

GPO Firefox Registry Settings

GPO Firefox Registry Settings

How about an ADM/ADMX file?
– If you want to use an ADMX file you have to create it from scratch.
– There are so many settings available in Firefox itself that it would take too long to create it.
– It’s not flexible enough, because every add-on has its own settings.
– If you add another add-on / update Firefox you maybe have to extend your own ADMX file.

These are the reasons why I prefer adding everything „raw“ to the registry. For deactivating some Firefox features you have to Google once, or check the prefs.js file changes These bugs are fixed with version 0.9.3 –