Active Directory management & automation

Tutorials

Grant Rights to Execute Custom Commands

To execute Custom Commands, users must be granted appropriate permissions. It is possible to allow or deny the execution of either a specific custom command or all custom commands defined in Adaxes. The rights for Custom Command execution as well as any other rights in Adaxes are granted with the help of Security Roles. This enables you to, for example, allow specific users or groups to perform specific custom commands only on the AD objects located in a specific OU, on the members of a specific group or Business Unit, on all objects located in several AD domains, etc.

In this tutorial, you will learn how modify the built-in Security Role Help Desk to:

  • allow execution of all Custom Commands on all AD object types,
  • deny execution of all Custom Commands on Computers,
  • deny execution of a specific custom command.
If some undesired changes were made to a built-in Security Role, you can discard all changes made to this Role. For this purpose, right-click the Role you need and click Restore to Initial State in the context menu.
Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Security Roles \ Builtin. Select the Help Desk role. The permissions and assignments of this role will be displayed in the Result Pane (located to the right).

Select Security Role


To allow the execution of all Custom Commands on all AD object types, add the Execute All Custom Commands permission applied to All object types.
Add 'Execute All Custom Commands' Permission

Step by step

  1. In the Result Pane (located to the right), click Add.
    Click Add Permission
  2. Select All object types and check the Execute All Custom Commands permission in the Allow column. Click OK
    Permissions to Execute All Custom Commands

To deny execution of all Custom Commands on Computers, deny the Execute All Custom Commands permission for the Computer object type.
Deny 'Execute All Custom Commands' Permission for Computers

Step by step

  1. In the Result Pane (located to the right), click Add.
    Click Add Permission
  2. Select Computer in the list of object types and check the Execute All Custom Commands permission in the Deny column. Click OK.
    Deny Execute All Custom Commands on Computers
The Deny permissions always override the Allow permissions, so users will not be able to execute Custom Commands on Computers, even if other Security Roles grant them such rights.

To deny execution of the custom command 'My Command', deny the Execute 'My Command' permission for the corresponding object type.
Deny 'Execute My Command' Permission

Step by step

  1. In the Result Pane (located to the right), click Add.
    Click Add Permission
  2. Select an object type, on which the Custom Command can be executed and check the Execute 'My Command' permission in the Deny column. Click OK.
    Deny Execute My Command
If the Custom Command 'My Command' is deleted, the permissions that allow or deny execution of this command will be deleted from Security Roles automatically.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for creating users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts