Active Directory management & automation

Grant Rights to Modify Specific Properties of AD Objects

Using Security Roles you can allow users to modify specific properties of Active Directory objects. For example, you can enable users to modify only the Employee ID property of user accounts in Active Directory.

This tutorial includes step-by-step instructions on how to create a Security Role that will grant a permission to modify a single property of AD objects, and how to assign this role to users and groups.

Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.

Launching the Create Security Role wizard


Enter the name for the new Role and click Next.

On the Role Permissions page you need to specify which permissions the new role will grant. Click Add to add a permission to the role.

Adding Permissions


To add a permission to modify a specific property:
  • Select the type of AD objects, a property of which you want to allow modifying.

    Specifying Object Type

    Properties of the selected object type will be displayed in the Property-specific permissions section.
    If the property you want to allow modifying is available for all types of objects (e.g. Description), you can apply the permission to all object types. For this purpose, select All object types above the list of object types.

  • Type the name or a part of the name of the desired property in the filter edit box located in the Property-specific permissions section. For example, if you want to allow modifying the Account Expires property, type 'expires'.
    If the property you need is not available in the Property-specific permissions section, enable the Show all properties option.
  • Check the Allow option for the property.

    Selecting Permission

  • Click OK and then click Next.

Here, at the Assign Role page, you need to specify the users or groups to which you want to assign the new role.
To quickly find a user or group, type its name in the search field and click the button.
Select a user or group in the list of available trustees and click the Assign button.

Role assignments

In the Role Activity Scope dialog that opens, you need to specify the objects, to which the users or groups selected at the previous step to be able to apply the permissions granted by the new role.

You can select the following items:
  • All Objects - select if you want to allow the users or groups specified at the previous step to apply the specified permission to any user account in any AD domain managed by the Adaxes service.
  • Specific Domain - select a specific AD domain if you want to allow applying the specified permission to any user in the AD domain you specify. If you select a domain, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    Select All objects in this Domain. It means that users or groups specified at the previous step will be able to apply permissions of the new Role to all accounts in the selected domain. Click OK.

    Assignment Options for a Specific Domain

  • OU or Container - select a specific organizational unit or container if you want to allow modifying account options of any user located in the selected OU or container. If you select an OU or container, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To allow modifying account options of all children of the selected OU at any nesting level, click Child objects of this Organizational-Unit. To allow modifying account options of the direct child objects of the selected OU only, check also Immediate child objects only. Select the option you need and click OK.

    Assignment Options for an OU or Container

  • Group - select a specific group if you want to allow applying the specified permission to any user that is a member of the selected group. If you select a group, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To allow applying the specified permission to any group member, select Members of this Group. To allow applying the specified permission to direct group members only, check also Direct members only. Click OK.

    Assignment Options

  • Business Unit - select a Business Unit if you want to allow applying the specified permission to user accounts that are members of a specific Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.

    Viewing Business Units

    If you select a Business Unit, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In this case, the only applicable option is Members of this Business Unit. It means that the new Role permissions will be applied to all user accounts that are the members of the selected Business Unit. Select this option and click OK.

    Assignment Options


Select the object you need and click Add. When finished, click OK.

When specified, the assignments will be displayed in the Assignments list. To add assignments to other users or groups, repeat steps 5 and 6. Click Finish.

Assignments

Distribution of permissions with the help of Security Roles does not modify native Active Directory permissions.
? Waiting

Progress status: Checking...