Active Directory management & automation

Hide Active Directory Objects from Users

By default, after you install Adaxes, all users can view all objects in Active Directory. However, some users in your company need to view only specific AD objects. To allow users to view only the objects they need, it is necessary to adjust their permissions via Security Roles.

The permission to view all objects in Active Directory is granted by the built-in Security Role called Domain User.

Security Role Domain User

If you want to explicitly specify what objects users are allowed to access in Active Directory, first you need to remove the default assignment of the Domain User role:

  • Select the Domain User role in the Console Tree.
  • Right-click the default assignment item (Authenticated Users over All Objects).
  • In the context menu, click Delete.

  • Click Save.

After the assignment is removed, all users are not allowed to view any objects in Active Directory. The only object they will be able to view, is their own user account (this permission is granted by the built-in User Self-Service role).

To allow users to view and manage objects in Active Directory, you need to assign them to corresponding Security Roles. Below you will find instructions on how to address typical requirements.

Allow all users to view objects located in a specific Organizational Unit.

To do this, assign the Domain User role to Authenticated Users over the Organizational Unit you need.

Step by step

  1. Select the Domain User role in the Console Tree.

  2. In the Result Pane (located to the right), click Add Assignment.

  3. Select Authenticated Users and click OK.

  4. Select the Organizational Unit you need, click Add, and select Child objects of this Organizational Unit.

    If you want to allow users to also view the Organizational Unit itself, select the This Organizational-Unit object option.
  5. Click OK two times.
  6. Click Save.

Allow Help Desk staff to view and manage all objects located in a specific Organizational Unit, and members of a specific group.

To do this, assign the Help Desk role (or any other role) to your Help Desk group over the children of an Organizational Unit and members of a group.

The Security Role must have the permission that allows reading objects in AD. All built-in Security Roles have the Allow Read all object types permission by default.

Step by step

  1. Select the Help Desk role in the Console Tree.

  2. In the Result Pane (located to the right), click Add Assignment.

  3. Select the group you need and click OK.

    Select Group
  4. Select the Organizational Unit you need, click Add, and select Child objects of this Organizational Unit.

  5. Click OK.
  6. Select the group, members of which you want to allow to view and manage, click Add, and select Members of this Group.

  7. Click OK two times.
  8. Click Save.

Allow managers of the Sales department to view and manage accounts of all users whose Department property contains 'Sales'. Though these accounts are located in different OUs, Sales managers must not be able to view the Active Directory structure.

To do this, assign managers of the Sales department to a Security Role over members of a Business Unit that includes all users whose Department property contains 'Sales'.

Step by step

  1. Create a Business Unit that will contain all users from the Sales department.
    See View & manage AD objects collectively to learn how to create a Business Unit.

  2. Select the Security Role you need in the Console Tree.
  3. In the Result Pane (located to the right), click Add Assignment.

    Click Add Assignment
  4. Select the group you need and click OK.

    Select Group
  5. Select the Business Units item in the Look in drop-down list.

    Select Business Units Item
  6. Select the Business Unit you need and click Add.

    Select Business Unit
  7. Select the Members of this Business Unit and This Business Unit object options.

  8. Click OK two times.
  9. Click Save.

Grant Administrators full control over all objects in Active Directory.

To do this, you need to assign your Administrators group to the Super Manager role over All Objects.

Step by step

  1. Select the Super Manager role in the Console Tree.

  2. In the Result Pane (located to the right), click Add Assignment.

    Click Add Assignment
  3. Select the group you need and click OK.

    Select Group
  4. Select All Objects and click Add.

    Select All Objects
  5. Click OK two times.
  6. Click Save.

Blind User Role

Adaxes includes a built-in Security Role called Blind User that can also be used to hide Active Directory objects.

Blind User Role

The Blind User role contains only one permission Deny Read all object types and is very simple to use. To hide an AD object from a user, you just need to assign the Blind User role to this user and include the object you want to hide to the assignment scope. In this way, you can hide objects located in an OU, members of AD groups, objects that belong to a Business Unit, specific AD objects, etc.

In case you want to hide Active Directory objects of a specific type only, you can create a Security Role that will contain the Deny Read permission applied to the object type you need.

Permission to Deny Viewing Computers

For example, to hide an Organizational Unit from users, you just need to assign the Blind User role to the users and include the OU and its children to the assignment scope.

The Deny permissions always override the Allow permissions, so users will not be able to view AD objects even if other Security Roles grant them such rights.
? Waiting

Progress status: Checking...