0 votes


I have a Business Unit defined based on an LDAP Query which I use to limit the accounts in AD an admin can control. I would also like to limit the scope of the search so they can not find AD users outside of the BU.

I tried removing the Read All Objects from Domain User and adding Read All Objects to my admin role with an assignment over the BU, but now only the admin's own account is visible. I can only seem to get this to work by giving read to everything which isn't what I want?

I am assuming there is a set of attributes I need to allow access to for the LDAP filter to work on the BU, but having trouble working it out?


by (2.6k points)


Could you post here or send us to support[at]adaxes.com the following:

  • A screenshot of Permissions and Assignments of your admin role.
  • A screenshot of Membership Rules of the Business Unit.

Screenshots emailed as I couldn't get them here :(



When you click Reply to Post, look right above the check boxes below the window for Options and find just to the right of it, in gray lettering, Upload Attachment


This is the Domain User Role and the Membership Rule.

The rule just has %extensionattribute5% in it and the admin users has and LDAP filter in this attribute to define the users they can control - i.e. (|(depertment=HR)(department=IT))

Setup like this it works, but the Admin can search for any user in the domain which is not what I want. If I remove the domain assignment from the Role then the admin can only find themselves.


1 Answer

0 votes
by (215k points)


The assignment of the Security Role is incorrect for the task you want to achieve. You included the Business Unit in the Assignments of the Security Role, and selected This object only as the assignment scope.

This means that you allowed authenticated users to view the Business Unit itself, but not the members of the Business unit. To allow users to also view members of the Business Unit:

  1. Double-click the assignment of the Role that includes the Business Unit.
  2. Select the Members of this Business Unit option.
  3. Click OK.
  4. Save the Security Role.

Now I fell dumb. I stared at this for ages and didn't spot that :(

Thanks again.

Related questions

0 votes
0 answers

Trying to setup a security role so that members can create and administer accounts and group membership. I would like to limit this via OU as a security role and not depend on the filters in the web console. Any suggestions?

asked Apr 5, 2016 by adaxes_user (2.1k points)
0 votes
1 answer

What rights are needed to view Password Manager Statistics? I have set Allow Read > All Object Types for a group assigned over Configuration Objects. But I get a "Data fetching Error" and "Access is denied" dialog when trying to view statistics. Thank you

asked Feb 2, 2016 by jheisley (3.7k points)
0 votes
1 answer

Hello, Is it possible to grant members of a business unit permission to run a custom command? I know I'm able to give permission to a user/group to run a cmd on a business ... that can run the command. I've not been successful with any of my attempts to do so.

asked Mar 23, 2017 by JoCCCsa (510 points)
0 votes
1 answer

Hello, I have some AD Groups I would like to exclude from a business unit I'm using. I have standard group names across multiple OUs, some should be a part of the ... than simply having a working exclude query. Any thoughts on how I can get this working?

asked Mar 24, 2016 by drew.tittle (4.5k points)
0 votes
1 answer

Hello, It is possible to read values in specuial conatianers like OU=Policies,OU=System,dc=domain? The cmdlet get-ADOrganizationlUnit is not working for this type of object. Thanks!

asked Nov 22, 2019 by tentaal (5.6k points)
2,251 questions
2,011 answers
24,640 users