Prevent Users from Viewing the Active Directory Structure
It is essential to keep non-administrative users away from the details related to the Active Directory infrastructure and configuration. The less a user can see and do in Active Directory, the less are chances that this user makes a mistake or does something wrong.
Users should be able to see and manage only the Active Directory objects included in the scope of their authority. For example, if a Help Desk operator is in charge of performing account support functions for a specific department, this Help Desk operator should be able to see only user accounts and groups related to this department and nothing else.
In this tutorial, you will learn how to configure the Web Interface to allow users to view only specific Active Directory objects, even if these objects are located deeply in the Active Directory hierarchy.
By default, all users have the right to view all Active Directory objects in all domains managed by Adaxes. So, prior to configuring the Web Interface, you need to configure Security Roles to allow users to view only the Active Directory objects they need to see.
Configure the Active Directory pane (located on the Home page) to display all the Active Directory objects that you want to be managed with the help of the Web Interface. In this pane, users will see only those Active Directory objects, for which they have permissions.
It often happens that Active Directory objects that need to be managed collectively are spread across multiple Organizational Units or Active Directory domains. For example, if you have a geographically based OU structure, user accounts that belong to a specific department can be located in multiple Organizational Units.
To allow users to collectively manage Active Directory objects regardless of their location in Active Directory, you can use virtual object collections, called Business Units. Business Unit membership is determined by flexible membership criteria that allow including AD objects that match specific search parameters, objects located under a specific OU, members of AD groups, etc.
Customize the Actions pane (located on the Home page) to contain links for performing the operations you want to be accomplished with the help of the Web Interface. In the Actions pane, each operation can be configured to minimize the steps necessary for its execution. For example, you can add the Create User command on the Home page that will always create new user accounts in a predefined Organizational Unit. In this case, users will not select the location for new user accounts, and thus, will not be able to see the Active Directory structure.
Disallow users to use the Navigation Bar to browse Active Directory. To hide the Browse button and the object path displayed in the Navigation Bar, do the following:
- Start the Web Interface Customization tool.
- Activate the AD Browsing tab.
- Uncheck the Display the Browse button and AD object paths check box.
- Click Apply.