JIT computers mapping - idea

[sylwester-majcher]

According: https://github.com/lithnet/access-manager/wiki/Jit-Access-Page for "JIT group mapping".
For Computer OU there is only option-it is logical-to choose specific OU.
My idea is to be able to choose computers by security group or by custom attribute(example LAPS:value1,value2,valueXX). It is because let's image the scenerious when I manage my all computers in the company by custom attributes and I keep my object in one OU. I dont devide OU's structure per department, city, etc. and this is real sceneroiu cause we are doing it just now in the company. is it a lot of job or is it possible to do? For now if we choose only 10% computers to participate in the JIT process in fact we have to allow to create 20k groups cause we have in this ou 20K objects.
Best regards
Sylwester

[ryannewington]

@sylwester-majcher I've had a look at the code, and it would be a little complicated to add additional custom filtering to the current code base.

However, the JIT group creation feature is really just a 'convenience' feature. AMS doesn't need to create these groups. You can simply use a PowerShell script to the create only the groups you need. Just make sure the name of the group matches the naming convention in the authorization rule, and that the AMS service account can manage membership. There is otherwise nothing special about the groups AMS creates for you.