0 votes


Still struggling with blind user role :-) i found out that i cannot exclude configuration object from the role (this is greyed) so users cannot use "My Approval" "My requests" features

Is this normal ?


by (800 points)

1 Answer

0 votes
by (18.0k points)

Here you have two options:

  1. Modify the Blind User role to deny reading only AD objects of specific types.

  2. Use a different approach to hide AD objects.

    • Delete all assignments from the Blind User role.
    • Remove all assignments from the Domain User role. By default, this role grants all users the permissions to view all objects in AD.
    • Assign users to the security roles you need. Users will be able to view only the AD objects included in the assignment scope of the roles. For example:
      • If you want to allow a user to view AD objects located in a specific OU, assign this user to the Domain User role over this OU.
      • If you want to allow a user to view AD objects located in a specific OU and perform account support tasks for these objects, assign this user to the Help Desk role over this OU.

Option 2 is definitely the best and i wonder why i did not think about it before !

I try this right now

Related questions

0 votes
1 answer

Hi there ! I use the blind users role to hide objects to web operators but it seems that default containers (builtin, computers, users) are always visible, when i use group ... rights to edit these objects, i'd like these to be really hidden. Any clue ?

asked Jul 18, 2011 by sroux (800 points)
0 votes
1 answer

Hi again, It seems that there is a problem with the Blind Users role and the add to group features : i configured a user as he can see only a specific OU through blind ... " (Where My User stands for the real user name obviously). Am i doing something wrong ?

asked Jul 5, 2011 by sroux (800 points)
0 votes
1 answer

Is it possible to create a security role that would only allow disabling accounts, but not enabling?

asked Feb 21, 2012 by BradG (950 points)
0 votes
0 answers

I have a business rule that moves a users account to different OU's based on it's value e.g. when set as 'Normal' the account is moved to the 'Normal User' ... is any other way to construct the underlying business rule to take this issue into account? Regards

asked May 10, 2013 by firegoblin (1.6k points)
0 votes
0 answers

We are unsure how to troubleshoot this error. It happens after a new user is created and then we modify the properties. The code is customized powershell running using a ... adaxes admin but still the same error. Any ideas where we could start to troubleshoot?

asked Apr 27, 2022 by mark.it.admin (2.3k points)
3,164 questions
2,868 answers
505,555 users