Adaxes

Granting "Allow Delete subtree" ACL to a user object

0 votes

Hello,

you wrote "To remedy the issue, try granting the account appropriate permissions to delete users as subtree in Active Directory."

How can I add the permission within Adaxes to the user object?

Administrators -> add "delete subtree" or Adaxes Service Account -> add "delete subtree"

I don't want to grant the Adaxes service account permissions on all accounts affected by AdminSDHolder by updating the ACL on the AdminSDHolder object in AD. Only the to be deleted user object should be affected.

regards Helmut

related to an answer for: Delete User issue
by (510 points)

1 Answer

0 votes
by (245k points)

Hello Helmut,

To perform operations in a managed domain, Adaxes uses the credentials specified for the domain. For information on how to check/change the account, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.ManageActiveDirectory.ManageDomains.ChangeManagedDomainLogonInfo.html. It is not necessarily the Adaxes service account whose credentials were specified during Adaxes installation. The domain account should have all the necessary native Active Directory permissions to perform the operations you want to work in Adaxes for objects in the domain. As such, it is recommended to add the permission to delete subtree to the account over all the objects managed by Adaxes that should be available for deletion. Unfortunately, there is no possibility to manage native AD permissions for a domain in Adaxes, however, you can do it for objects in domains via the Edit Native Security option. image.png

Related questions

0 votes
0 answers
Permissions to allow a self-service user to set out-of-office replies on mailboxes they have direct full control over

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (680 points)
0 votes
1 answer
Is there a way to allow a user to reset password with authenticator or answering questions?

is it possible to allow a user to enroll for both options, or even only one option out of the two available? I would like to give my users the choice to use either. Some users may not want an authenticator, but other's might do.

asked Nov 6, 2019 by mashworth (80 points)
0 votes
1 answer
Scheduled task failing to delete domain admin user objects

Hi We have a couple of scheduled tasks set up to remove accounts which have been disabled for a perios of time. This works fine for normal user accounts, but we ... and former domain admin accounts? We're running the latest version of Adaxes Thanks Matt

asked Oct 26, 2022 by chappers77 (1.6k points)
0 votes
1 answer
Only allow membership to one security group at a time

We have RBAC groups inside an OU. We would like to restrict users from being added to multiple RBAC groups at a time. For example: RBAC Roles OU Sales RBAC Group ... groups outside of this OU structure though. What's the best way to achieve this? Thanks

asked Oct 13, 2021 by bavery (250 points)
0 votes
1 answer
Is there a way to force users to change their password, but still allow them to log in to Self-Service to change it?

I know I can set the "User must change password at next logon" flag, but noticed when I do that, they can no longer log in to Self-Service.

asked Oct 1, 2020 by RickWaukCo (300 points)
3,008 questions
2,726 answers
7,021 comments
217,504 users