Active Directory management & automation

Allow Managers to Manage Their Teams

Your organization may authorize managers to perform operations on their subordinates in Active Directory. A user's manager is specified in the Manager property of the user's account. In Adaxes, you can grant managers the rights to manage their teams. If you change the manager of a user, the previous manager will lose, and the new manager will gain the rights.

In this tutorial you will learn how to create a Security Role with the necessary permissions and assign it to managers of users.

Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.

Launching the Create Security Role wizard

Enter the name for the new Role and click Next.

Now you need to specify the permissions that you want to delegate to managers. To do this, click Add.

Adding Permissions

Since the Security Role will allow managers to manage user accounts, select the User object type.

Specifying User Object Type

In the right portion of the dialog, select the operations that you want to allow to managers. For example, if you want to allow managers to reset passwords, check the Reset Password permission in the Allow column.

Selecting General Permission

Optionally, add the Read permission

It is reasonable to allow managers to view their teammates. By default, this permission is granted by the Domain Users built-in Role, however, if that Role is disabled, managers will not be able to view their team in Active Directory.

Check the Read permission in the Allow column.

Specify additional permissions

When done, click OK and Next.

Now you need to assign the new Role. Since you want to grant permissions to managers, select the Manager security principal and click Assign.

Role assignment to object manager

In the Role Activity Scope dialog that opens, you need to specify the user accounts that will be managed by their managers. You can select one of the following options:

  • All Objects - the Role will be assigned to managers of all users in all the AD domains managed by Adaxes.
  • Specific Domain - the Role will be assigned to managers of the users located in the selected domain. If you select a domain, you will need to specify the assignment scope in the Assignment Options dialog. The only applicable option is All objects in this Domain.

    View screenshot

    Assignment Options for a Specific Domain

  • OU or Container - the Role will be assigned to managers of the users located in the selected OU or container. If you select an OU or container, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    • If you want to assign the Role to managers of all users in the selected OU at any nesting level, select Child objects of this Organizational-Unit.
    • If you want to assign the Role to managers of the users who are direct children of the selected OU, select Child objects of this Organizational-Unit and Immediate child objects only

    Click OK.

    Assignment Options for an OU or Container

  • Group - the Role will be assigned to managers of members of the selected group. If you select a group, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    • If you want to assign the Role to managers of all members of the group, select Members of this Group.
    • If you want to assign the Role to managers of direct members of the group only, select Members of this Group and Direct members only.

    Click OK.

    Assignment Options for a Group

  • Business Unit - the Role will be assigned to managers of members of the selected Business Unit. If you want to select a Business Unit, select Business Units in the Look in drop-down list.

    Viewing Business Units

    If you select a Business Unit, you will need to specify the assignment scope in the Assignment Options dialog. The only applicable option is Members of this Business Unit.

    View screenshot

    Assignment Options

Select the object you need and click Add. When finished, click OK.

When specified, the assignments will be displayed in the Assignments list. Click Finish.

Assignments

Distribution of permissions with the help of Security Roles does not modify native Active Directory permissions. This means that managers of users will not be able to apply the permissions granted by this Security Role outside of Adaxes.

Managers can quickly access members of their teams on the My Team Page of Adaxes Web Interface. To open the My Team Page page, click the My Team link in the My Panel section.

View screenshot

? Waiting

Progress status: Checking...