0 votes

Is there a way to apply permission to an object using an LDAP filter? I see in the SDK how to create and assign security roles but if you can't do it in the UI will scripting through the SDK allow it?

Our OU Structure is:
-Office Name

We have a global Help Desk, Regional and Local Support. For local support the permission assignment is easy but if I have to assign the move computer permissions to every "Compters" OU then I would have an exhausting list of permissions.

Of course I could just be thinking about this all wrong and there is already an easy way to do it then please let me know :)

Thank you

by (590 points)

1 Answer

0 votes
by (215k points)


Actually, you can do it without any scripting. Adaxes allows organizing Active Directory objects into virtual collections (or virtual Organizational Units) called Business Units. This allows grouping objects by different criteria without changing the Active Directory structure. Business Units can include objects that correspond to certain membership criteria (for example, objects that match a specific LDAP filter), but located in different Active Directory containers or even in different AD domains or forests.

Take a look at the following tutorial that describes how to organize objects in Business Units and apply Security Role permissions to objects located in Business Units: http://www.adaxes.com/tutorials_ActiveD ... tively.htm.


I am currently using business units and I guess I will have to assign the permissions to the business unit and just not allow the users to view them in the web interface.

Initially I was organizing my business units in containers. Then I would assign the permissions to the container but permissions do not seem to be inherited from the containers. Also if you nest multiple containers nothing under the second level will show in the web interface. What I am trying to avoid by doing this is large business units with thousands of objects. Also when we bring on other domains I was hoping to organize by business units in containers.

The structure would look something like this but since nesting does not work I will have to figure something else out.

Business Units
-North America --> Container
--US --> Container (Does not show in web interface)
---Office --> Business Unit (Does not show in web interface)

Sorry not trying to be a pain, just trying to figure out the best easiest way to assign permissions for my situation.



Permissions issue:

Currently that's not supported. You can assign a Security Role over a container with Business Units in it, however in this case the permissions will apply to the Business Unit objects themsleves, but not to their members. So, for example, this can be used to distribute rights to view different Business Units.

But if you want to grant some rights to members of Business Units, you'll need to include the Business Unit object into the Activity Scope of the Security Role, assigning the Role to the Unit members. For information on how to grant permissions for Business Unit members, see View & Manage AD Objects Collectively (the 2nd part of the tutorial).

Business Unit visibility in the Web interface:

On the Business Units pane of the Web Interface, users will see only the objects contained on the top level of the Business Units container. If they need to view some objects located deeply in the Business Unit structure, they need to browse to the necessary Business Unit. So, for example, if a user needs to access the Office Business Unit, located in the US subcontainer of the North America Container, the user will see only the North America container on the Business Units pane. To get to the Business Unit, the user will have to double-click the North America container, then open the US subcontainer.

Alternatively, if the Browse button is enabled in the Web Interface, users can browse the Business Units tree the same as they browse Active Directory.

Note that in order to be able to view and list containers with Business Units, and also view Business Unit objects, users need to be granted appropriate permissions with the help of Security Roles. If a user doesn't have permissions to view a Container or a Business Unit, he won't be able to view the Container or the Business Unit in the Web interface. By default, the permission to view all Containers and all Business Units is granted by the built-in Domain User Security Role that allows all authenticated users to view all objects. If you changed the assignments of the Domain User Role or disabled it, you will have to assign the permissions for the containers and Business Units explicitly. For example, in the scenario above, you will need to grant at least the Read permission for the North America Container and all of its children.

Related questions

0 votes
1 answer

Hello, I'd like to create a custom Adaxes report based on the following Logging Filters - I'm currently having to filter the logs manually each time I want to gather this ... would be easier to jump on a call to discuss this further? Thank you in advance!

asked Nov 16, 2020 by sirslimjim (330 points)
0 votes
1 answer

I'm trying to create a new command that can apply to User objects across multiple domains that are in OUs with the same 'Name' i.e. an OU called Directors that occurs in ... t seem to make it work with just contains 'OU Name' i.e. (distinguishedname=OU Name)

asked Jan 21, 2020 by richarddewis (220 points)
0 votes
1 answer

I'd like to enter an LDAP string in the Target Object selection to allow managers in Self Service to search for staff in a variety of OU's I've tried to use the string where ... a top level OU. An answer to both types of query or either would be great. Thanks

asked Apr 25, 2018 by AlanWJ (150 points)
0 votes
1 answer

Hi I have a colleague who claims, that objectCategory and/or objectClass should be included in LDAP searches, to reduce load on the domain controller. It sound reasonable, but ... build into the code behind the Home Page Action ? View Group example: - Thanks

asked Jan 4, 2018 by Boxx.dk (2.6k points)
0 votes
1 answer

Hello, we have started using Softerra Adaxes to allow key users to manage some aspects of active directory. For one task we have created an ldap filter: ( ... we need: (managedBy included in %secretary%) Any help is greatly appreciated. Regards HarryNew

asked Sep 4, 2017 by HarryNew (270 points)
2,554 questions
2,297 answers
660,539 users