0 votes

I have a Business Rule where "After User Creation", "Create the home directory".

This works fine and adds the user Modify Access to their home directory, but it also Adds the service account with Full Control access to the folder.

This is not desirable as the account is already an administrator and does not need to be given explicit access.

Is there a way to suppress this behavior?

by (1.1k points)

1 Answer

0 votes
by (215k points)

Hello,

You cannot configure Adaxes not to add the explicit permissions, but you can revoke them immediately after creating the home directory. To do this, you need to modify your Business Rule that creates the home directory:

  1. Launch Adaxes Administration Console.
  2. Navigate to and select your Business Rule that creates the home folders.
  3. Right-click the action that creates the home folders and click Add New Action.
  4. Paste the following script from the repository: Remove permissions for Adaxes default service administrator to access user's home directory.
  5. Select Run a program or PowerShell script.
  6. Enter a short description and click OK.
  7. Save the Business Rule.
0

Hi,

I have applied this script but I am getting the error:

[!] Cannot find path \\homedrivehere because it does not exist.
[!] Cannot bind argument to parameter 'AclObject' because it is null.

0

Hello,

It looks like the account that is used to run the script does not have sufficient permissions to access the home directory. The account is specified in the Run As section of the Run a program or PowerShell script action that is used to run the script. By default, the account of Adaxes default service administrator (the user that you specified during Adaxes installation) is used.


To remedy the issue, you can use one of the following options:

  • Grant the necessary permissions to the account that is used to run the script.

  • Specify an account that has sufficient permissions to access home directories and modify permissions. To do this:

    1. In the Run As section, select This account.
    2. Click Specify.
    3. Specify an account that has sufficient permissions and click OK.
    4. Save the changes.
0

Hi, sorry for not replying sooner but I have been rather busy.

I tried the updated script, and the results are the same. The Local Administrators group and the account used to Login to the Domain permissions are still explicitly listed as in my previous post.

0

Hello,

Can you view the account used to login to the domain in the Administration Console and check whether the user Logon name property is populated for that account?


Also, you never mentioned that the local Administrators group should be removed from the list. Should the permissions for the local Administrators group also be removed?

0

Ah, I figured it out. I had restricted Adaxes from all service accounts in my licensing so it could not control the object.

My bad. You can mark this as Solved.

Related questions

0 votes
0 answers

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (680 points)
0 votes
1 answer

we used the adaxes "move home directory" tool, but after all the directories were moved, they were all set to the default security of the parent folder. The per user ... there a way to go through each user and assign their rights to the home directory?

asked Feb 27, 2017 by mdedmon (150 points)
0 votes
1 answer

Hi Everyone I want to create a custom command where I can select multiple users and then select a mailbox and give them full access to the mailbox. Is there a way to do it? Thank you for help

asked Nov 2, 2021 by Sandberg94 (250 points)
0 votes
1 answer

Is is possiable to send Automate an email to go out to the users of a delegated mailbox? We give Full Access and Send As access of disabled accounts to thier replacements for 30days ... then send a email to each one of them? Adaxes version: 2017.2 3.8.14823.0

asked Oct 28, 2019 by hgletifer (1.2k points)
0 votes
1 answer

My Help Desk users can unlock accounts one at a time under user management, Unlock Account. However, under the "Locked out Users" on the Home Page, there is no option to select multiple users to unlock- the check boxs are not visible.

asked Mar 12, 2020 by msylvester (60 points)
2,740 questions
2,474 answers
6,475 comments
1,372,186 users