0 votes

I have a Business Rule where "After User Creation", "Create the home directory".

This works fine and adds the user Modify Access to their home directory, but it also Adds the service account with Full Control access to the folder.

This is not desirable as the account is already an administrator and does not need to be given explicit access.

Is there a way to suppress this behavior?

by (1.1k points)

1 Answer

0 votes
by (216k points)

Hello,

You cannot configure Adaxes not to add the explicit permissions, but you can revoke them immediately after creating the home directory. To do this, you need to modify your Business Rule that creates the home directory:

  1. Launch Adaxes Administration Console.
  2. Navigate to and select your Business Rule that creates the home folders.
  3. Right-click the action that creates the home folders and click Add New Action.
  4. Paste the following script from the repository: Remove permissions for Adaxes default service administrator to access user's home directory.
  5. Select Run a program or PowerShell script.
  6. Enter a short description and click OK.
  7. Save the Business Rule.
0

Hi,

I have applied this script but I am getting the error:

[!] Cannot find path \\homedrivehere because it does not exist.
[!] Cannot bind argument to parameter 'AclObject' because it is null.

0

Hello,

It looks like the account that is used to run the script does not have sufficient permissions to access the home directory. The account is specified in the Run As section of the Run a program or PowerShell script action that is used to run the script. By default, the account of Adaxes default service administrator (the user that you specified during Adaxes installation) is used.


To remedy the issue, you can use one of the following options:

  • Grant the necessary permissions to the account that is used to run the script.

  • Specify an account that has sufficient permissions to access home directories and modify permissions. To do this:

    1. In the Run As section, select This account.
    2. Click Specify.
    3. Specify an account that has sufficient permissions and click OK.
    4. Save the changes.
0

Hi, sorry for not replying sooner but I have been rather busy.

I tried the updated script, and the results are the same. The Local Administrators group and the account used to Login to the Domain permissions are still explicitly listed as in my previous post.

0

Hello,

Can you view the account used to login to the domain in the Administration Console and check whether the user Logon name property is populated for that account?


Also, you never mentioned that the local Administrators group should be removed from the list. Should the permissions for the local Administrators group also be removed?

0

Ah, I figured it out. I had restricted Adaxes from all service accounts in my licensing so it could not control the object.

My bad. You can mark this as Solved.

Related questions

0 votes
0 answers

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (680 points)
0 votes
0 answers

Hello, I am using this script found in the repository to remove the permissions for Adaxes service administrators from a newly provisioned user home directory: https://www. ... namespace, so the folder path is similar to \ \domain.domain.com\ServerName\Users

asked Nov 14, 2022 by GronTron (270 points)
0 votes
1 answer

I am working with Adaxes for the first time. Looking to set up the service account so it can actually make changes to AD not just to register the Adaxes Service. I would rather ... the Adaxes service. What I am unable to do is have adaxes make changes to AD.

asked Sep 21, 2022 by mightycabal (1.0k points)
0 votes
1 answer

we used the adaxes "move home directory" tool, but after all the directories were moved, they were all set to the default security of the parent folder. The per user ... there a way to go through each user and assign their rights to the home directory?

asked Feb 27, 2017 by mdedmon (150 points)
0 votes
1 answer

Hi Everyone I want to create a custom command where I can select multiple users and then select a mailbox and give them full access to the mailbox. Is there a way to do it? Thank you for help

asked Nov 2, 2021 by Sandberg94 (340 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users