0 votes


I have a Business Unit defined based on an LDAP Query which I use to limit the accounts in AD an admin can control. I would also like to limit the scope of the search so they can not find AD users outside of the BU.

I tried removing the Read All Objects from Domain User and adding Read All Objects to my admin role with an assignment over the BU, but now only the admin's own account is visible. I can only seem to get this to work by giving read to everything which isn't what I want?

I am assuming there is a set of attributes I need to allow access to for the LDAP filter to work on the BU, but having trouble working it out?


by (390 points)


Could you post here or send us to support[at]adaxes.com the following:

  • A screenshot of Permissions and Assignments of your admin role.
  • A screenshot of Membership Rules of the Business Unit.

Screenshots emailed as I couldn't get them here :(



When you click Reply to Post, look right above the check boxes below the window for Options and find just to the right of it, in gray lettering, Upload Attachment


This is the Domain User Role and the Membership Rule.

The rule just has %extensionattribute5% in it and the admin users has and LDAP filter in this attribute to define the users they can control - i.e. (|(depertment=HR)(department=IT))

Setup like this it works, but the Admin can search for any user in the domain which is not what I want. If I remove the domain assignment from the Role then the admin can only find themselves.


1 Answer

0 votes
by (215k points)


The assignment of the Security Role is incorrect for the task you want to achieve. You included the Business Unit in the Assignments of the Security Role, and selected This object only as the assignment scope.

This means that you allowed authenticated users to view the Business Unit itself, but not the members of the Business unit. To allow users to also view members of the Business Unit:

  1. Double-click the assignment of the Role that includes the Business Unit.
  2. Select the Members of this Business Unit option.
  3. Click OK.
  4. Save the Security Role.

Now I fell dumb. I stared at this for ages and didn't spot that :(

Thanks again.

Related questions

0 votes
0 answers

Trying to setup a security role so that members can create and administer accounts and group membership. I would like to limit this via OU as a security role and not depend on the filters in the web console. Any suggestions?

asked Apr 5, 2016 by adaxes_user (420 points)
0 votes
1 answer

What rights are needed to view Password Manager Statistics? I have set Allow Read > All Object Types for a group assigned over Configuration Objects. But I get a "Data fetching Error" and "Access is denied" dialog when trying to view statistics. Thank you

asked Feb 2, 2016 by jheisley (590 points)
0 votes
1 answer

Hi, I'm trying to create a web console only for sending SMS using adaxes 2018.2. The SMS-users that are going to use the console should only be able to view users, not edit ... which removes a lot of OUs that the users should not see or be able to browse to.

asked Sep 2, 2020 by eirikza (120 points)
0 votes
1 answer

Hello, I want service desk to be able to select from the web interface only groups that are specified in a Business Unit. it is possible to do it (Adaxes 2009.1)? Thanks you.

asked Sep 2, 2020 by tentaal (1.1k points)
0 votes
1 answer

Hello, Is it possible to grant members of a business unit permission to run a custom command? I know I'm able to give permission to a user/group to run a cmd on a business ... that can run the command. I've not been successful with any of my attempts to do so.

asked Mar 23, 2017 by JoCCCsa (100 points)
2,552 questions
2,295 answers
641,962 users