Active Directory management & automation

Grant Rights to Modify AD Group Membership

In order to allow specific users or groups to modify AD group membership, you need to grant them the Write 'Member' Property permission. For this purpose, you need to create a Security Role that grants this permission and assign the new Role to the users or groups, to which you want to allow modifying group membership.

1Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.

Launching the Create Security Role wizard

2Enter the name for the new Role, and click Next.

3Here you need to specify permissions the new Role will grant. To allow modifying AD group membership, you need to permit writing the 'Member' property of group objects. Clicking the Add button will display the Add Permissions dialog.

Create Security Role - Step 2

4 In the list of object types, to which permissions are applied, select Group. In the Property-specific permissions section, check the Write 'Member' Property permission in the Allow column. Click OK.

Add Permission


Optionally, add the Read permission

It is reasonable to specify the Read - All object types permission for every Security Role, as this permission allows browsing Active Directory. By default, this permission is granted by the Domain Users built-in Role, however, if that Role is disabled, users will not be able to view any objects in Active Directory.

Click the Add button to return to the Add Permissions dialog. Select the Read permission in the Allow column of the General permissions section. Click OK.

Specify additional permissions

When done, click Next.

5 Here, at the Assign Role page, specify users or groups to which you want to assign the new Role. To quickly find a user or group, type its name in the search field. Click Search button Search and select the object you need in the search results.

Role assignments

Delegate Group Management to Owners

In Active Directory, you can assign an owner for each group. The owner is specified in the Managed By property of a group. To allow owners to add or remove members from their groups, select the Owner (Managed By) security principal.

Assign role to group owners

If you change the owner of a group, the previous owner will lose, and the new owner will gain the rights to modify the membership of the group.

Select the necessary option and click Assign.

6In the Role Activity Scope dialog that opens, you need to select where the specified users or groups will be able to apply the permissions granted by this Security Role.

You can select one of the following items:

  • All Objects - select if you want to allow the users or groups specified at the previous step to add and remove members of any group in any AD domain managed by the Adaxes service.

  • Specific Domain - select a specific AD domain if you want to allow modifying membership of any group in the AD domain you specify. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    Select All objects in this Domain. It means that users or groups specified at the previous step will be able to apply permissions of the new Role to all groups in the selected domain.

    Assignment Options for a Specific Domain

  • OU or Container - select a specific organizational unit or container if you want to allow modifying membership of any group located in the selected OU or container. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To allow modifying membership of all groups under the selected OU at any nesting level, click Child objects of this Organizational-Unit. To allow modifying membership of the groups that are direct children of the selected OU, check also Immediate child objects only.

    Assignment Options for an OU or Container

  • Group - select a specific group if you want to allow modifying membership of this group or of the groups that are members of this group. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To allow modifying membership of the selected group only, select This Group object.

    To allow modifying membership of the groups that are members of the selected group, select Members of this Group.

    To allow modifying membership of the groups that are direct members of the selected group, check also Direct members only.

    Assignment Options

  • Business Unit - select a Business Unit if you want to allow modifying membership of the groups that are members of a specific Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.

    Viewing Business Units

    Once selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In this case, the only applicable option is Members of this Business Unit. It means that the assignment will include all groups that are members of the selected Business Unit. Select this option and click OK.

    Assignment Options

Select the object you need and click Add. When finished, click OK.

7When specified, the assignments will be displayed in the Assignments list. To add assignments to other users or groups, repeat steps 5 and 6. Click Finish.

Assignments

Distribution of permissions with the help of Security Roles does not modify Active Directory native permissions.
? Waiting

Progress status: Checking...