In this tutorial, you will learn how to give managers rights to perform certain operations on accounts of their direct reports in Active Directory. For example, you may want managers to be able to reset passwords of their subordinates, update their job title, telephone number, out of office message in Exchange, etc.
The rights to manage user accounts, like any other rights in Adaxes, are granted with the help of Security Roles. To delegate permissions to managers, instead of assigning a Security Role to specific users and groups, you need to assign it to a special security principal Manager. When a permission is assigned to Manager, it is actually assigned to the user specified in the Manager property of user accounts in Active Directory. If the manager of a user changes, the previous manager loses, and the new manager gains the rights instantly.
Perform the following steps to create a Security Role and assign it to managers:
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role.
Enter a name for the new Security Role and click Next.
On the Permissions step, click Add.
Select User in the list of object types on the left.
In the right part of the dialog, select the permissions you want to delegate to managers. For example, to allow them to reset user passwords, check the Reset Password permission in the Allow column.
To grant the rights to modify specific properties of user accounts, in the Property-specific permissions list, check the desired property in the Allow column.
It is a good practice to add the Read permission to all Security Roles. It will ensure that users have the right to view the objects they manage. By default, the rights to view Active Directory objects are granted by built-in Security Role Domain User. It is recommended to add the Read permission because the default rights can be changed.
When done, click OK and then click Next.
On the Assignments step, click Add to assign the Security Role to users.
Select Manager and click Next.
Select the scope of user accounts that managers will be able to manage.
Select the following items:
All Objects - select to allow managers to manage accounts of their direct reports in all domains.
Specific Domain - select to allow managers to manage their direct reports within a specific domain.
OU or Container - select to allow managers to manage only the direct report's accounts located in an Organizational Unit or container.
Group - select to allow managers to manage only the direct reports that are members of a group.
Business Unit - select to allow managers to manage only the direct reports that are members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.
When done, click Finish to complete the Assign Role wizard.
Click Finish to complete the Create Security Role wizard.
To manage accounts of direct reports, managers can use Adaxes Web Interface. To facilitate access to the accounts, you can place the My Team pane right on the Home page of the Web Interface. For details, see Customize the Home page.