Limit Access to Active Directory Structure


You can configure Adaxes Web Interface to allow users to view only a part of the Active Directory tree, or completely hide the Active Directory structure. For example, if the Help Desk team provides account support for a specific department, you may want them to see only the part of AD structure related to that department and nothing else.

In this tutorial, you will learn how to limit the visibility of the Active Directory structure in Adaxes Web Interface.

  1. Configure User Permissions

    In Adaxes Web Interface, users can see only the Active Directory objects they have permissions to view. By default, all users have the right to view all Active Directory objects in all domains managed by Adaxes. To allow users to view only the objects they need, it is necessary to adjust their permissions.

    For details, see Hide Active Directory Objects from Users.

  2. Change Top Level Node

    You can limit users to view only objects located in a particular Organizational Unit or domain and hide the rest of the AD structure. For example, you may want users to see only their own OU and nothing else.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • Specify an OU or domain in the Top level node field located in the Navigation section.

    You can configure the top level node in such a way that it will be different depending on the user who is logged in. For example, you may want it to be an OU that has the same name as the user’s department, or the OU where the account of the user is located. For this purpose, instead of selecting a specific object, you need to use a template.

    • Click the button embedded in the Top level node field.

    • In the dialog that opens, click Template.

    • Specify a template to be used to generate the distinguished name (DN) of the top level node. You can use value references in the template, e.g. %department%, %adm-ParentDN%, %adm-DomainDN%. The value references will be replaced with corresponding property values of the logged in user’s account. To insert a value reference, click the button.

      For example, to limit users to view only their own Organizational Unit, use the %adm-ParentDN% value reference. It will be replaced with the distinguished name of the Organizational Unit, where the account of the logged in user is located.

    Changing the top level node affects the following components of the Web Interface:

    • Browse in the main menu
    • Active Directory search
    • Operations on AD objects
    • AD object paths
    • Members/Member Of sections
    • My Team, My Department and My Managed Objects views

    Browse in Main Menu

    Active Directory Search

    AD Object Paths

    Operations on AD Objects

  3. Hide Specific Containers

    You can specify what types of containers are displayed in the Active Directory tree. For example, you may want users to see only Organizational Units and hide containers of other types.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • In the Filter Options section, uncheck the types of objects you want to hide.

    Also, you can configure the Web Interface to display only the containers that match certain criteria. For example, you may want the Active Directory tree to contain only the Organizational Units with the word Department in their names.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • In the Filter Options section, select the Show only objects that match filter checkbox.

    • In the Filter field, specify the LDAP filter to apply to AD objects displayed in the Web Interface. Objects that don't match the filter will not be visible to users.

      To apply the filter to Organizational Units only, it must have the following structure:

      (|(!(objectCategory=organizationalUnit))(<YOUR FILTER>))

      For example, to display only OUs that contain Department in their name, use the following filter:

      (|(!(objectCategory=organizationalUnit))(name=*Department*))

      To create an LDAP filter, you can use the Find dialog in Adaxes Administration Console.

      • Launch Adaxes Administration Console.
      • Connect to your Adaxes service and click Find on the toolbar.
      • Activate the LDAP Search tab.
      • In the LDAP filter field, click the embedded button.

      • Create a filter using the LDAP Filter Builder dialog.


      You can configure the filter in such a way that it will be different depending on the user who is logged in. For this purpose, use value references (e.g. %department%, %company%). Value references will be replaced with corresponding property values of the logged in user’s account.

      For example, to display only OUs that contain the name of the user's department, use the following filter:

      (|(!(objectCategory=organizationalUnit))(name=%department%))

  4. Disable the Browse Dialog

    In Adaxes Web Interface, to browse the Active Directory tree and navigate to specific AD objects, the Browse dialog is used. It is possible to either completely disable the dialog, or hide it in specific Web Interface components.

    The Active Directory tree in the Browse dialog is displayed starting from the Top Level Node.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • In the Navigation section, clear the Show the Browse dialog in checkbox.

  5. Hide AD Object Paths

    Active Directory object paths allow users to see the location of an Active Directory object and navigate to parent objects. It is possible to either completely disable the feature, or disable it for specific Web Interface components.

    Active Directory object paths are displayed starting from the Top Level Node.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • In the Navigation section, under Active Directory Paths, clear the Display AD object paths in checkbox.

  6. Configure Home page

    If you have restricted access to the Active Directory structure, users may no longer be able to find the AD objects they need. To ensure access to the necessary objects, you can place them on the Home page of the Web Interface.

    For details on how to configure the Home page, see Customize the Home page.

  7. Configure Business Units

    Business Units are virtual Organizational Units that can include Active Directory objects spread across different locations but match certain membership criteria. With the help of Business Units you can create alternative hierarchies of Active Directory objects that can be used instead of the real Active Directory structure.

    To enable users to use Business Units, you can make them available on the Home page of the Web Interface. For details, see Customize the Home page.

    Also, you can configure the Browse dialog located in the main menu to display Business Units only.

    • Open Adaxes Web Interface Configurator.

    • In the top left corner, select the Web Interface you want to customize.


    • In the left navigation menu, click Browsing.

    • In the Navigation section:

      • Uncheck the Display the Active Directory node checkbox.

      • Check the Display the Business Units node checkbox.

Open tutorial filtering

Got questions?
Support Forum