Control What Objects are Displayed in Web Interface


In this tutorial you will learn how to specify which types of Active Directory objects are displayed in Adaxes Web Interface, hide objects that don't match certain filtering criteria, limit users to view only objects located in a specific Organizational Unit or container.

  1. Configure User Permissions

    In Adaxes Web Interface, users can see only the Active Directory objects they have permissions to view. By default, all users have the right to view all Active Directory objects in all domains managed by Adaxes. To allow users to view only the objects they need, it is necessary to adjust their permissions.

    For details, see Hide Active Directory Objects from Users.

  2. Configure Object Types

    You can specify which types of Active Directory objects are displayed in the Web Interface. For example, you may want to hide all computer and printer objects and allow users to only see user accounts, contacts and groups.

    Also, you can control which types of containers are displayed in the Active Directory tree. For example, you may want users to see only Organizational Units and hide containers of other types.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • In the Filter Options section, uncheck the types of objects you want to hide from the Web Interface.

    • To change the icon associated with an object type, select it and click Change Icon.

    • Use the checkboxes in the Container column to control what types of objects are displayed in the Active Directory tree.

    • Click Add to add an object type to the list of object types displayed in the Web Interface.

      For information on how to configure the Web Interface to manage objects of a custom type, see Manage Active Directory Objects of a Custom Type.

  3. Enable Object Filtering

    You can configure the Web Interface to display only the objects that match certain criteria. For example, you may want to hide disabled user accounts, accounts with names starting with an underscore, show only distribution groups that have the word Department in their names, etc.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • In the Filter Options section, select the Show only objects that match filter checkbox.

    • In the Filter field, specify the LDAP filter to apply to AD objects displayed in the Web Interface. Objects that don't match the filter will not be visible to users.

      To apply the filter to specific object types only, it must have the following structure:

      (|(!(<OBJECT TYPE FILTER>))(<YOUR FILTER>))

      Example 1: Security and distribution groups that contain Department in their names.

      (|(!(objectCategory=group))(name=*Department*))

      Example 2: Distribution groups that contain Department in their names.

      (|(!(objectCategory=group))(!(|(groupType:1.2.840.113556.1.4.803:=2147483648)(name=*Department*))))

      Example 3: Enabled user accounts only.

      (|(!(sAMAccountType=805306368))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

      Example 4: Enabled user accounts without an underscore at the beginning of their names.

      (|(!(sAMAccountType=805306368))(!(|(userAccountControl:1.2.840.113556.1.4.803:=2)(name=_*))))

      Example 5: Groups that contain Department in their names and user accounts without an underscore.

      (&(|(!(objectCategory=group))(name=*Department*))(|(!(sAMAccountType=805306368))(!(name=_*))))

      Example 6: Enabled and not expired user accounts.

      (|(!(sAMAccountType=805306368))(&(|(accountExpires=0)(accountExpires>=%datetime:format[timestamp]%))(!(userAccountControl:1.2.840.113556.1.4.803:=2))))



      You can configure the filter in such a way that it will be different depending on the user who is logged in. For this purpose, use value references (e.g. %department%, %company%). Value references will be replaced with corresponding property values of the logged in user’s account.

      Example 7: Groups that contain the name of the user's department.

      (|(!(objectCategory=group))(name=%department%))

      To create an LDAP filter, you can use the Find dialog in Adaxes Administration Console.

      • Launch Adaxes Administration Console.
      • Connect to your Adaxes service and click Find on the toolbar.
      • Activate the LDAP Search tab.
      • In the LDAP filter field, click the embedded button.

      • Create a filter using the LDAP Filter Builder dialog.


  4. Change Top Level Node

    You can allow users to view only AD objects located in a particular Organizational Unit or container. For example, you may want users to see only objects located in their own Organizational Unit and nothing else.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • Specify an OU or domain in the Top level node field located in the Navigation section.

    You can configure the top level node in such a way that it will be different depending on the user who is logged in. For example, you may want it to be an OU that has the same name as the user’s department, or the OU where the account of the user is located. For this purpose, instead of selecting a specific object, you need to use a template.

    • Click the button embedded in the Top level node field.

    • In the dialog that opens, click Template.

    • Specify a template to be used to generate the distinguished name (DN) of the top level node. You can use value references in the template, e.g. %department%, %adm-ParentDN%, %adm-DomainDN%. The value references will be replaced with corresponding property values of the logged in user’s account. To insert a value reference, click the button.

      For example, to limit users to view only their own Organizational Unit, use the %adm-ParentDN% value reference. It will be replaced with the distinguished name of the Organizational Unit, where the account of the logged in user is located.

    For more details on how to allow users to view only a part of the Active Directory structure, see Limit Access to Active Directory Structure.

Open tutorial filtering

Got questions?
Support Forum