Active Directory management & automation

Prevent Users from Viewing the Active Directory Structure

It is essential to keep non-administrative users away from the details related to the Active Directory infrastructure and configuration. The less a user can see and do in Active Directory, the less are chances that this user makes a mistake or does something wrong.

Users should be able to see and manage only the Active Directory objects included in the scope of their authority. For example, if a Help Desk operator is in charge of performing account support functions for a specific department, this Help Desk operator should be able to see only user accounts and groups related to this department and nothing else.

In this tutorial, you will learn how to configure the Web Interface to allow users to view only specific Active Directory objects, even if these objects are located deeply in the Active Directory hierarchy.

Configure User Rights
By default, all users have the right to view all Active Directory objects in all domains managed by Adaxes. So, prior to configuring the Web Interface, you need to configure Security Roles to allow users to view only the Active Directory objects they need to see.

Configure the Active Directory Pane
Configure the Active Directory pane (located on the Home page) to display all the Active Directory objects that you want to be managed with the help of the Web Interface. In this pane, users will see only those Active Directory objects, for which they have permissions.


Configure Business Units
It often happens that Active Directory objects that need to be managed collectively are spread across multiple Organizational Units or Active Directory domains. For example, if you have a geographically based OU structure, user accounts that belong to a specific department can be located in multiple Organizational Units.

To allow users to collectively manage Active Directory objects regardless of their location in Active Directory, you can use virtual object collections, called Business Units. Business Unit membership is determined by flexible membership criteria that allow including AD objects that match specific search parameters, objects located under a specific OU, members of AD groups, etc.
For more details on how to create Business Units, see View & manage AD objects collectively.
In the Web Interface, Business Units are displayed in the Business Units pane located on the Home page. For more details on how to configure the Web Interface to display the Business Units pane, see Customize the Home Page.


The Business Units pane displays only the Business Units the users are allowed to view.
Alternatively, you can configure the Active Directory pane to display specific Business Units.

Configure the Actions Pane
Customize the Actions pane (located on the Home page) to contain links for performing the operations you want to be accomplished with the help of the Web Interface. In the Actions pane, each operation can be configured to minimize the steps necessary for its execution. For example, you can add the Create User command on the Home page that will always create new user accounts in a predefined Organizational Unit. In this case, users will not select the location for new user accounts, and thus, will not be able to see the Active Directory structure.
For details, see Configure Home Page Actions.



Configure the Navigation Bar
Disallow users to use the Navigation Bar to browse Active Directory. To hide the Browse button and the object path displayed in the Navigation Bar, do the following:
  • Start the Web Interface Customization tool.
  • Activate the AD Browsing tab.
  • Uncheck the Display the Browse button and AD object paths check box.
  • Click Apply.
? Waiting

Progress status: Checking...