In this tutorial, you will learn how to deny the permission to delete user accounts in Active Directory. In Adaxes, to disallow an operation for a user, the user must be assigned to a Security Role that has a Deny permission for the operation.
If both Allow and Deny permissions are assigned to a user, the Deny permission takes precedence over the Allow permission. For example, if a user is assigned to two Security Roles, one of which allows deletion of user accounts, and the other that denies it, the delete operation is denied for the user.
To create and assign a Security Role that denies deletion of user accounts:
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role.
Enter a name for the new Security Role and click Next.
On the Permissions step, click Add.
In the Add Permissions dialog, do the following:
In the General permissions list, check the Delete Object permission in the Deny column.
On the Assignments step, click Add to assign the Security Role to users.
Select the users and groups which you want to deny the right to delete user accounts for. Click Next.
Select the scope of users which you want to deny the deletion of.
Select the following items:
All Objects - select to deny the deletion of all user accounts in all domains managed by Adaxes.
Specific Domain - select to deny the deletion of all user accounts in a domain.
OU or Container - select to deny the deletion of the user accounts located in an Organizational Unit or container.
Group - select to deny the deletion of the user accounts that are members of a group.
Business Unit - select to deny the deletion of the user accounts that are members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.
When done, click Finish to complete the Assign Role wizard.
Click Finish to complete the Create Security Role wizard.