Active Directory management & automation

Tutorials

Disallow Certain Operations on Active Directory Objects

With the help of the Active Directory Web Interface, users can only perform operations, for which they have been granted permissions (via Security Roles). If a user doesn't have rights to perform an operation, the Web Interface will not display this operation for this user.

However, sometimes you may need to explicitly disable certain operations in the Web Interface. For example, when a user is working with multiple AD objects, the Web Interface doesn't check whether this user has enough permissions to perform an operation on each object, and displays all available operations. Or you may just want to simplify the user interface by removing unnecessary features that may distract or confuse users.

In this tutorial, you will learn how to:

  • completely disable specific operations in the Web Interface,
  • disable specific operations only for specific Web Interface components (Search, AD Reports, Basket, etc.) and object views.
On the computer, where the Web Interface is installed, start the Web Interface Customization tool.


In the Interface type drop-down list, select the Web Interface you want to configure.



Activate the AD Management tab and click Customize Operations.



To completely disable an operation in the Web Interface, uncheck it in the Operations list. In this case, this operation will not be available to users in the Web Interface, even if they have rights to execute it.


Along with standard Active Directory operations, the Operations list also contains Custom Commands. You can configure Custom Commands in the same way you configure other operations.

You can disable specific operations only for specific Web Interface components. For example, to prevent users from performing the Delete operation on search results, do the following:
  • Select the Delete operation in the Operations list.
  • Select the Customize how the selected operation is displayed in check box.
  • In the AD Object Grids tab, activate the Directory Search check box.
  • Select the Don't display item in the drop-down list. When this item is selected for the Delete operation, users will not be able to delete Active Directory objects in search results.


You can enable or disable operations for the grids used in the following Web Interface components:

  • Directory Search
    The grid is used to display search results (Simple Search, Alphabetical Search, and Quick Search).

    View screenshot

  • Browsing AD
    The grid is used to display child objects of the selected Organizational Unit or Container when browsing Active Directory.

    View screenshot

  • AD Reports
    The grid is used to display results of Active Directory reports.

    View screenshot

  • Business Units
    The grid is used to display members of a Business Unit.

    View screenshot

  • Group Members Section
    The grid is used to display members of an Active Directory group.

    View screenshot

  • Member Of Section
    The grid is used to display the groups an object is a member of.

    View screenshot

  • Favorites
    The grid is used to display favorite Active Directory objects in the My Favorites tab.

    View screenshot

  • Basket
    The grid is used to display Active Directory objects located in the Basket.

    View screenshot

  • My Team Page
    This grid is used to display the users you are the manager of. This grid is shown, when you click the My Team link in the My Panel section.

    View screenshot

  • My Department Page
    This grid is used to display all users from your department. This grid is shown, when you click the My Department link in the My Panel section.

    View screenshot

  • My Managed Objects Page
    This grid is used to display the Active Directory objects managed by you. This grid is shown, when you click the My Managed Objects link in the My Panel section.

    View screenshot


Also, you can disable specific operations in the views used to display Active Directory objects. For example, to hide the Edit link from the view used to display User objects, do the following:
  • Select the Edit operation in the Operations list.
  • Select the Customize how the selected operation is displayed in check box.
  • Activate the AD Object Views tab.
  • Select the Don't Display option for the User object type. When this option is selected, the Edit link will not be shown on the page used to display User objects.


If you want an operation to be placed under the Other submenu, select the Display in Other menu option for this operation.

In object views, only the operations located at the bottom of the page header can be placed under the Other submenu.

When finished, click Apply.
There is no need to restart IIS to apply the changes, as the changes are applied automatically.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for creating users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts