Active Directory management & automation

Tutorials

Hide Active Directory Objects from Users

By default, after you install Adaxes, all users can view all objects in Active Directory. However, some users in your company need to view only specific AD objects. To allow users to view only the objects they need, it is necessary to adjust their permissions via Security Roles.

The permission to view all objects in Active Directory is granted by the built-in Security Role called Domain User.

Security Role Domain User

If you want to explicitly specify what objects users are allowed to access in Active Directory, first you need to remove the default assignment of the Domain User role:

  • Select the Domain User role in the Console Tree.
  • Right-click the default assignment item (Authenticated Users over All Objects).
  • In the context menu, click Delete.

  • Click Save.

After the assignment is removed, all users are not allowed to view any objects in Active Directory. The only object they will be able to view, is their own user account (this permission is granted by the built-in User Self-Service role).

To allow users to view and manage objects in Active Directory, you need to assign them to corresponding Security Roles. Below you will find instructions on how to address typical requirements.

Allow all users to view objects located in a specific Organizational Unit.

To do this, assign the Domain User role to Authenticated Users over the Organizational Unit you need.

Step by step

  1. Select the Domain User role in the Console Tree.
  2. In the Result Pane (located to the right), click Add Assignment.
  3. Select Authenticated Users and click OK.
  4. Select the Organizational Unit you need, click Add, and select Child objects of this Organizational Unit.

    If you want to allow users to also view the Organizational Unit itself, select the This Organizational-Unit object option.
  5. Click OK two times.
  6. Click Save.


Allow Help Desk staff to view and manage all objects located in a specific Organizational Unit, and members of a specific group.

To do this, assign the Help Desk role (or any other role) to your Help Desk group over the children of an Organizational Unit and members of a group.
The Security Role must have the permission that allows reading objects in AD. All built-in Security Roles have the Allow Read all object types permission by default.

Step by step

  1. Select the Help Desk role in the Console Tree.
  2. In the Result Pane (located to the right), click Add Assignment.
  3. Select the group you need and click OK. Select Group
  4. Select the Organizational Unit you need, click Add, and select Child objects of this Organizational Unit.

  5. Click OK.
  6. Select the group, members of which you want to allow to view and manage, click Add, and select Members of this Group.

  7. Click OK two times.
  8. Click Save.


Allow managers of the Sales department to view and manage accounts of all users whose Department property contains 'Sales'. Though these accounts are located in different OUs, Sales managers must not be able to view the Active Directory structure.

To do this, assign managers of the Sales department to a Security Role over members of a Business Unit that includes all users whose Department property contains 'Sales'.

Step by step

  1. Create a Business Unit that will contain all users from the Sales department.
    See View & manage AD objects collectively to learn how to create a Business Unit.

  2. Select the Security Role you need in the Console Tree.
  3. In the Result Pane (located to the right), click Add Assignment. Click Add Assignment
  4. Select the group you need and click OK. Select Group
  5. Select the Business Units item in the Look in drop-down list.
    Select Business Units Item
  6. Select the Business Unit you need and click Add. Select Business Unit
  7. Select the Members of this Business Unit and This Business Unit object options.
  8. Click OK two times.
  9. Click Save.


Grant Administrators full control over all objects in Active Directory.

To do this, you need to assign your Administrators group to the Super Manager role over All Objects.

Step by step

  1. Select the Super Manager role in the Console Tree.
  2. In the Result Pane (located to the right), click Add Assignment. Click Add Assignment
  3. Select the group you need and click OK. Select Group
  4. Select All Objects and click Add.
    Select All Objects
  5. Click OK two times.
  6. Click Save.

Blind User Role

Adaxes includes a built-in Security Role called Blind User that can also be used to hide Active Directory objects.

Blind User Role

The Blind User role contains only one permission Deny Read all object types and is very simple to use. To hide an AD object from a user, you just need to assign the Blind User role to this user and include the object you want to hide to the assignment scope. In this way, you can hide objects located in an OU, members of AD groups, objects that belong to a Business Unit, specific AD objects, etc.

In case you want to hide Active Directory objects of a specific type only, you can create a Security Role that will contain the Deny Read permission applied to the object type you need.
Permission to Deny Viewing Computers

For example, to hide an Organizational Unit from users, you just need to assign the Blind User role to the users and include the OU and its children to the assignment scope.


The Deny permissions always override the Allow permissions, so users will not be able to view AD objects even if other Security Roles grant them such rights.
See also: Prevent Users from Viewing the AD Structure in the Web Interface.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for new users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts