Active Directory management & automation

Deny Rights to Delete Users

In order to disallow specific users or groups to delete user accounts, even if other Security Roles grant them this right, you need to deny the Delete Object permission for these users. For this purpose, you need to create a Security Role that denies this permission and assign the new Role to the users or groups, to which you want to disallow deleting user accounts.

The Deny permissions always override the Allow permissions. That is, if a user has both the Deny and Allow permissions to perform a certain operation, this user will not be able to perform this operation as the Deny permission has a higher priority.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.

Launching the Create Security Role wizard

2Enter the name for the new Role, and click Next.

3Here you need to specify permissions the new Role will grant. Click Add.

Create Security Role - Step 2

4 In the Add Permissions dialog that opens, do the following:

  • Select User in the list of object types, to which permissions are applied.
  • Check the Delete Object permission in the Deny column of the General permissions section. Click OK.

Add Permission



5Click Next. Here, at the Assign Role page, specify users or groups, to which you want to assign the new Role. To quickly find a user or group, type its name in the search field. Click Search button Search and select the object you need in the search results. Click the Assign button.

Role assignments

6In the Role Activity Scope dialog that opens, you need to select where you want to disallow the specified users or groups to delete user accounts.

You can select one of the following items:

  • All Objects - select, if you want to disallow the specified users or groups to delete user accounts located in any AD domain managed by the Adaxes service.

  • Specific Domain - select a specific AD domain, if you want to disallow the specified users or groups to delete user accounts in the AD domain you specify. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    Select All objects in this Domain. It means that the specified users or groups will be disallowed to delete any user in the selected domain.

    Assignment Options for a Specific Domain

  • OU or Container - select a specific organizational unit or container, if you want to disallow deleting user accounts located in the selected OU or container. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To disallow deleting users under the selected OU at any nesting level, click Child objects of this Organizational-Unit. To disallow deleting users that are direct children of the selected OU, check also Immediate child objects only.

    Assignment Options for an OU or Container

  • Group - select a specific group, if you want to disallow deleting users that are members of the selected group. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To disallow deleting users that are members of the selected group, select Members of this Group.

    To disallow deleting users that are direct members of the selected group, check also Direct members only.

    Assignment Options

  • Business Unit - select a Business Unit, if you want to disallow deleting users that are members of a specific Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.

    Viewing Business Units

    Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In this case, the only applicable option is Members of this Business Unit. It means that the assignment will include all users that are members of the selected Business Unit. Select this option and click OK.

    Assignment Options

Select the object you need and click Add. When finished, click OK.

7When specified, the assignments will be displayed in the Assignments list. To add assignments to other users or groups, repeat steps 5 and 6. Click Finish.

Assignments

Distribution of permissions with the help of Security Roles does not modify Active Directory native permissions.

When the new Security Role is created, the users it is assigned to will not be able to delete user accounts, even if this permission is granted by other Security Roles assigned to them.

? Waiting

Progress status: Checking...