Grant Rights to Modify Specific Properties of AD Objects


Using Security Roles, you can grant users the right to modify specific properties of Active Directory objects. For example, you can allow users to modify only the Description property of group objects, the Employee ID property of user accounts and nothing else.

Permissions granted by Security Roles are effective only within Adaxes.

This tutorial includes step-by-step instructions on how to create a Security Role that will grant the permission to modify a single property of AD objects, and how to assign the role to users and groups.


  1. Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role.



    Enter a name for the new Security Role and click Next.

  2. On the Permissions step, click Add.

  3. To add the permission to modify a property of Active Directory objects:


    • Select the type of Active Directory objects which you want to apply the permission to.


      Permissions for general properties, like Description, can be applied to all types of Active Directory objects. To do it, select the All object types option.

    • Type the name or a part of the name of the desired property in the filter edit box located in the Property-specific permissions section.


      If you can't find the property you need, make sure the Show all properties checkbox is checked.
    • Check the Write <Property Name> permission in the Allow column.


    • Click OK and then click Next.
  4. On the Assignments step, click Add to assign the Security Role to users.

  5. Select the users and groups whom you want to assign the permissions to.


    Click Next.

  6. Select the scope of objects which you want to assign the permissions on.

    Select the following items:

    • All Objects - select to allow modifying the property on all objects in all domains managed by Adaxes.

    • Specific Domain - select to allow modifying the property on all objects within a specific domain.

    • OU or Container - select to allow modifying the property on the objects located in an Organizational Unit or container.

    • Group - select to allow modifying the property on members of a group.

    • Business Unit - select to allow modifying the property on members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific objects, Organizational Units, members of groups and Business Units from the assignment scope. For example, if you've assigned the Security Role on all objects in a domain, but do not want to users to be able to update the objects located in a specific Organizational Unit, you can exclude the Organizational Unit from the scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude option.

    • Click OK.

    When done, click Finish to complete the Assign Role wizard.

  7. Click Finish to complete the Create Security Role wizard.



Open tutorial filtering

Got questions?
Support Forum