9.1Users and Groups
Users are managed through the Config page’s Users and Groups section.
Here you will see a list of all of the users and groups that have been added to OVERLAPS and have the ability to edit or remove them.
9.1.1Add a New User or Group
To add a user, click the New User/Group button, a window will appear allowing you to enter the user or group’s account (user) name.
Start typing the username and OVERLAPS will search Active Directory for potential matches for you to select from.
Here you may also set the user or group’s site-wide permissions:
Users with this permission have full permission to everything in OVERLAPS. They are the only ones who can add or remove users, grant permission to OUs, and change the various system settings.
Warning: This allows the user full access to everything in OVERLAPS, including the ability to grant access to the LAPS password of any computer in the domain, including servers, to any other domain user.
22.214.171.124Edit Self Service
Granting this permission allows the user or group to add or remove Self Service computers from other users or groups.
Users with the View History permission can access the History page and view a log of everything that other users are doing within OVERLAPS.
126.96.36.199Set a Precise Expire Date & Time
If checked, this user/group can specify a date and time when expiring a computer’s password (instead of it expiring immediately).
If checked, the user or group is not allowed to browse Active Directory containers even if they have permission to do so. Their only means of accessing a computer that they have permission to is by searching for it.
You can edit users in one of two ways:
188.8.131.52One at a Time
Click the user or group name in the list to access a dropdown allowing you to view or modify various settings for that user.
Both Users and Groups have options for editing the Rate Limits (see 9.1.3), Self Service Computers (see 9.1.5) and User Access Levels (see 9.1.4); Groups also have menu options for to View Members to see what users appear in the group, and Refresh Group to order the group to be updated. If the user has Two Factor Authentication enabled, you will also see the option Disable Two Factor Authentication which can be used to disable this for the user in case they become locked out of their account.
184.108.40.206Multiple Users/Groups at the Same Time
Select one or more users or groups by checkbox next to their entry in the user list, then click the Edit User button to edit the Rate Limits, Self Service Computers and User Access Levels for all of them at once.
When you edit multiple users at the same time, the edit window will have an additional Selected Users dropdown that you can use to confirm which users you have selected and toggle them off to exclude them from the edit operation if desired.
Clicking a user will deselect them, and any changes made when clicking Save Changes will no longer apply to them. Clicking the user again will re-select them, including them in the edit operation again.
9.1.3Setting Rate Limits
You can set a limit on users and groups which controls how many: a) Password Read Requests, and b) Password Expirations or Resets, those users can perform in a given time period.
This can be useful to prevent over-exposure of your Local Administrator passwords, and to prevent a user from mass-exporting them.
Password Request limits and Password Reset limits can be controlled independently. To set a limit:
- Click the checkbox to Enable the limit you want to impose (use the tabs to switch between Password Requests and Password Resets),
- Specify a maximum number of requests (Maximum Requests/Resets) that can be performed in a specific time frame,
- Specify the time span and period that this will be monitored over,
- If the user(s) attempt more than the maximum requests in the given time period, they will be blocked until that time period has passed.
For example, for a normal user you may want them to stay under 25 requests per day, so you would set it to - Maximum: 25, Every: 1, Period: Day.
A warning note on group memberships
In order to handle multi-group membership in an efficient and minimally complex way, there is an important point to remember: where a user is a member of multiple groups, each with its own rate limit, OVERLAPS will select the lowest value from all of the rate limit time periods AND the minimum number of requests.
This means if you have a group with a limit of 5 requests every day, and another with a limit of 25 requests every 10 minutes, a member of both groups will end up with the limit 5 requests every 10 minutes.
This is done to be in-line with least privilege best practices. If the need arises to override the rate limit a user is experiencing because of their group memberships, the correct way would be to add the user explicitly to OVERLAPS as explicit user settings always take priority over group memberships.
9.1.4Changing User Access Levels
This window allows you to change the overall access that the user(s) have to the OVERLAPS website.
Administrators (users with Edit Settings permission) have full access to every Active Directory container, and the ability to modify users and site settings. This should be limited to only a few trusted users.
Users who have the Edit Self Service permission can add and remove Self Service computers from other users and groups. This allows you to delegate the management of Self Service to non-administrators but be wary as they will be able to grant permission to any computer in the domain (including servers).
People with View History permission have the ability to view a history of events that occur within OVERLAPS such as users logging in/out and viewing passwords.
220.127.116.11Set a Precise Expire Date & Time
Users who can Set a Precise Expire Date & Time can specify when a computer’s password will expire instead of it occurring immediately.
18.104.22.168Allow Browsing Active Directory
You can use this setting to completely disable the Browser section of the site whether users have access to computers in an Organizational Unit or not. This allows you to restrict users to searching for computers only.
When modifying a single user/group, you can either Enable (Allow) or Disable (Deny) each permission.
When editing multiple users, setting an option to No Change (default) means that no changes to each users’ current access will be made. Setting it to Denied disables the selected access for all selected users, and Allowed will grant the selected access for all selected users.
9.1.5Managing User Self Service Computers
The Self-Service Computers window allows you to specify one or more computers which the selected user(s) or group(s) will be able to access the Local Administrator password for. This allows for “power users” to be setup with access to a small number of computers where granting access to an entire Organizational Unit is not desirable.
Warning: When selecting multiple users/groups and opening this window, all of the Self-Service computers for all of the users will be shown. Saving Changes now will grant access to all of those computers to all of the selected users. For this reason, it is recommended to only edit one user at a time.
22.214.171.124Manually Adding Self-Service Computers
To add a computer, start typing its name in the Computer Name field. You will be presented with a list of similar matching computer names from Active Directory.
To add one of the displayed computers, simple click its name and it will be added to the list of computers below the computer name box.
126.96.36.199Using Active Directory's "Managed By" Property
An alternative (or addition) to adding the computers one-by-one here is to check one of the Active Directory “Managed By" option under the Managed By tab.
Selecting either the Authorisation Required or Authorisation Not Required options will, when a user goes to their Self-Service page, also show a list of any computers that the user is marked as the Manager of through Active Directory.
This can be a quicker way of setting up Self Service if you have already populated this value, or if you are planning to populate it by, for example, exporting the information from SCCM by a script.
For information about the Self-Service experience, see Self Service.
For manually added computers, the “Auth Req” checkbox indicates that the user must first submit an Authorisation Request and have it approved before they can view the computer’s password.
When using the “Managed By” feature, you can also select whether an Authorisation Request is required or not by selecting the appropriate option.
To nominate a user or group who can provide or deny authorisation requests generated by a Self Service user you can use one of two methods:
You can add a user or group to the Active Directory container permissions (see Container Permissions), and check the option Authorise Self-Service Access Requests. This will grant the user permission to authorise requests from Self Service users on all computers in this container.
2. Self-Service Authoriser
Alternatively, you can specify the user/group in the Self-Service settings dialog as shown above. This will allow the user to authorise Self Service requests only on the computers in this Self-Service setup.
If you want to grant temporary Self-Service access then you can specify an expiry date and time. After this time the user will lose access to all of their Self-Service computers listed under the Computers tab. Note this does not apply to access granted by the Managed By property.
9.1.6Removing a User
Selecting one or more users and clicking the Remove button will prompt you to confirm that you want to remove the user completely from OVERLAPS. This process is not reversible, and to re-add the user or group you would have to completely set up their settings and permissions again.
9.1.7Disabling Expired Account Checks
There are some rare instances where Active Directory may mis-report an account as being expired or disabled when it isn't, preventing them from logging in. If you encounter this condition then you can disable OVERLAPS' internal checks for expired accounts by using the Disable Account Expiry Checks individual user menu action.
Note that if the account is actually properly disabled or expired in Active Directory then login will still fail, and this option should only be used as a last resort.
It is important to note that, for security reasons, if a computer is moved from its Organizational Unit to another, any users with that computer added to their Self Service computer list will lose access to it until it is removed and re-added to their list.