Identity and Active Directory management

Tutorials

Manage Fine-Grained Password Policies

Starting from Windows Server 2008 onwards, it is possible to define different password and account lockout policies for different sets of users in Active Directory. In Windows Server 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy can be applied to all users in the domain.

To view or raise the domain functional level:
  • launch Adaxes Administration Console,
  • right-click the domain you need,
  • point to All Tasks,
  • click Raise Domain Functional Level.

Fine-grained password policies enable you to define multiple password and account lockout policies within a domain. This capability allows you to apply different levels of security to different users and groups. For example, you can apply strict policies to privileged users (such as administrators and help desk personnel) and less severe policies to other users.

In this tutorial, you will learn how to configure and manage Fine-Grained Password Policies using Adaxes.

1Launch Adaxes Administration Console, right-click the domain, for which you want to configure fine-grained password policies, point to All Tasks, and select Configure Password Policies from the context menu.

Launch the Configure Password Policies dialog

2 The Password Policies dialog displays an overview of the password policies currently defined in the domain.

The Password Policies dialog

Using this dialog, you can also view and modify the Default Domain Password Policy that is normally configured in the Default Domain Policy GPO.

3 To define a new password policy:

  • Click the New button located under the Password policies list.
  • In the New Password Policy dialog that opens, type a name for the new password policy and specify necessary password and account lockout settings.
  • Click OK.

Add new Password Policy

  • Click the Add button located under the Applies to list to apply the new password policy to users and groups you need.
  • Select the users and groups you need.
  • Click OK.

Assign the new password policy

Fine-grained password policies can be applied to global security groups, users and InetOrgPersons only.

4 To change the precedence order of a password policy, select this policy in the Password policies list and use Move Up and Move Down buttons.

Change the precedence order

If two or more password policies are applied to one and the same user, this user will be affected by the password policy with a higher precedence.

5 To view all users affected by a password policy, select the password policy you need and click the Show All Affected Users button located under the Applies to list.

View users affected by a password policy

If the Affected Users dialog doesn't display some users the selected password policy applies to, it means that they are affected by another password policy with a higher precedence.

6 To view the password policy effective for a specific user, click Lookup Policy for User. In the Select User dialog, select the user you need and click OK. The password policy effective for the selected user will be highlighted.

view the password policy effective for a specific user

Alternatively, to view the password policy effective for a user (not using the Password Policies dialog), do the following:

  • Right-click the user you need and click Properties.
  • Select the Account tab.
  • In the Password section, click Password Policy.

The View Password Policy dialog will display Password Policy restrictions effective for the selected user.

view the password policy effective for a specific user using the Properties dialog

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailboxes creation for new users
Schedule tasks for AD management
Automatically set Terminal Services Profile path for new users
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for creating users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Terminal Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts