Hide Active Directory Objects from Users


The initial permission settings in Adaxes allow all users to view all objects in all managed AD domains. In this tutorial, you will learn how to configure user rights to determine who can see what in Active Directory. For example, you can limit users to see only objects located in a particular Organizational Unit or members of a specific group, hide disabled user accounts and objects that don't match certain criteria. In a multi-tenant Active Directory environment, you may want to restrict users to see only their own Organizational Unit and hide the rest of the AD structure.

The rights to view objects in Active Directory, like any other rights in Adaxes, are granted with the help of Security Roles. The right to view all Active Directory objects is granted by default by the built-in Security Role Domain User.



The role has only one permission that allows viewing all types of AD objects. The default role assignment grants the permission to all users on all Active Directory objects.

To granularly control what objects are visible to users, you need to delete the default assignment of the role.

After the assignment is deleted, users cannot see any objects in Active Directory, except for their own account and the objects they manage. The permission to view own account is granted by default by the built-in Security Role User Self-Service. The Computer Manager and Group Manager roles allow object owners to see the computers and groups they manage.

Now you can grant rights to view objects in Active Directory.


Example 1: Allow everyone to see objects in an Organizational Unit.


To do it, assign the Domain User role to Authenticated Users on the Organizational Unit you want users to see.


  • Click Add in the Assignments section.

  • Click Authenticated Users and click Next.

  • Type the name of the Organizational Unit and then click it.

  • In the Assignment Options dialog box, select whether you want users to see only objects located directly under the Organizational Unit or the whole subtree.

    If you want users to see the Organizational Unit itself, select the The Organizational Unit object option.

  • Click OK and then click Finish.

  • Click Save changes.


Example 2: Allow everyone to see members of a group.


To do it, assign the Domain User role to Authenticated Users on the members of the group you want users to see.


  • Click Add in the Assignments section.

  • Click Authenticated Users and click Next.

  • Type the name of the group and then click it.

  • In the Assignment Options dialog box, select whether you want users to see only the direct members of the group, or all members, including the members of the nested groups.

    If you want users to see the group object itself, select the The group object option.

  • Click OK and then click Finish.

  • Click Save changes.


Example 3: Allow users to see the objects that contain the word Sales in their name.


To do it, first you need to create a Business Unit that will contain objects with the word Sales in their name. Then you need to assign the Domain User role to users on the members of the Business Unit.


  • Create a Business Unit that includes objects that match the following LDAP filter: (name=*Sales*).

    For instructions, see Create Business Unit.

  • Select the Domain User role.

  • Click Add in the Assignments section.

  • Type the name of the group or user which you want to assign the role to, and then click it.

    Click Next.

  • Select Business Units in the Look in drop-down.

  • Click the Business Unit.

  • In the Assignment Options dialog box, select The Business Unit object if you want users to also see the Business Unit object itself.

  • Click OK and then click Finish.

  • Click Save changes.


Example 4: Allow everyone to see objects within their own Organizational Unit.


To do it, first you need to create a Business Unit that will contain objects located in the Organizational Unit of the logged in user. Then you need to assign the Domain User role to Authenticated Users on the members of the Business Unit.


  • Create a Business Unit that includes objects located in the Organizational Unit of the logged in user.

    For instructions, see Create Dynamic Business Unit.

  • Select the Domain User role.

  • Click Add in the Assignments section.

  • Click Authenticated Users and click Next.

  • Select Business Units in the Look in drop-down.

  • Click the Business Unit.

  • In the Assignment Options dialog box, select The Business Unit object if you want users to also see the Business Unit object itself.

  • Click OK and then click Finish.

  • Click Save changes.


Example 5: Allow managers to see their direct reports.


To do it, assign the Domain User role to the Manager security principal on the All Objects scope.


  • Click Add in the Assignments section.

  • Click Manager and click Next.

  • Click All Objects.

    If, for example, you want managers to see only the direct reports located in a specific Organizational Unit, select the Organizational Unit instead of selecting All Objects.

  • Click OK and then click Finish.

  • Click Save changes.


All built-in Security Roles in Adaxes contain the Allow - Read - All object types permission. It means that when you assign built-in Security Roles to users, they will have the right to see the Active Directory objects included in the scope of assignment.

If you've modified the default assignments of the Domain User role, it is recommended to include the Allow - Read - All object types permission to all your Security Roles. The rule is simple: if you delegate rights to manage objects, you also need to grant the right to view the objects.


Blind User Role

Adaxes includes built-in Security Role Blind User that can also be used to hide Active Directory objects.



The Blind User role contains only one permission Deny - Read - All object types and is very simple to use. To hide an AD object from a user, you just need to assign the Blind User role to the user and include the object you want to hide to the assignment scope. This way you can hide objects located in an Organizational Unit, group members, objects that belong to a Business Unit, specific AD objects, etc.


If you want to hide Active Directory objects of a specific type only, you need to create a Security Role that will contain the Deny Read permission applied to the object type you need.


For example, to hide an Organizational Unit from a user, you need to assign the Blind User role to the user and include the Organizational Unit and the objects located under it to the assignment scope.



Since Deny permissions always override Allow permissions, users will not see the hidden Active Directory objects even if other Security Roles grant them such rights.

See Also



Open tutorial filtering

Got questions?
Support Forum