Active Directory management & automation

Tutorials

Grant Rights to Move Users Between OUs

To move Active Directory objects from one Organizational Unit (OU) to another, a user must be granted two rights:

  • Move Objects From Container
  • Move Objects To Container.

If a user is granted the Move Objects From Container right for an AD object, then the user can move the object out of its current OU. If a user is granted the Move Objects To Container right for an OU, then the user can move AD objects to that OU.

The Move Objects From Container right must be assigned for the AD objects that you want to allow moving. The Move Objects To Container right must be assigned for the OUs to which you want to allow moving objects. Depending on your requirements, sometimes it is better to use two Security Roles to delegate the permissions - one role will grant the Move Objects From Container right, and the other role will grant the The Move Objects To Container right.

In this tutorial you will learn how to create a Security Role that will grant the permissions necessary to move user accounts, and how to assign the role to users or groups so that they could move user accounts to/from specific OUs only.

Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role . The Create Security Role wizard will open.

Launching the Create Security Role wizard

Enter a name for the new Security Role and click Next.

To add a permission that will allow moving user accounts out of OUs (Move Objects From Container):
  • Click the Add button.
    Create Security Role - Step 2
    The Add Permissions dialog will open.
  • Select User in the list of object types, to which permissions are applied. Check the Move Objects From Container permission in the Allow column of the General permissions section.
    Add 'Move Objects From Container' Permission
  • Click OK.

To add a permission that will allow moving user accounts to OUs (Move Objects To Container):
  • Click the Add button again to open the Add Permissions dialog.
  • Select Organizational-Unit in the list of object types, to which permissions are applied. In the Operations on child objects section, check the Move Objects To Container permission in the Allow column. Add 'Move Objects To Container' Permission
    If you want to allow moving users to containers (e.g. built-in container Users), also select the Container object type in the list of object types.
  • To allow moving only user objects, click Select object types and select User as shown in the figure below. Click OK.

    When you select child object types, you specify which types of objects users will have the right to move.

  • Optionally, add the Read permission

    It is reasonable to add the Read - All object types permission to every Security Role, as this permission allows browsing Active Directory. By default, the permission is granted by the Domain Users built-in Security Role. However, if that Security Role is disabled, users will not be able to view any objects in Active Directory.

    To add the Read - All object types permission, click the Add button. In the Add Permissions dialog, select the Read permission in the Allow column of the General permissions section. Click OK.

    Specify additional permissions

  • Click OK.

In the Role Permissions window you can see the permissions you have just added. Click Next.

On the Assign Role page select users or groups to which you want to allow moving user accounts.
To quickly find a user or group, type its name in the search field and click . You can enter only some starting characters of the object's name and use an asterisk (*) as a wildcard.
Example: admin for Administrator, *admin* for MyAdminGroup.
Role assignments

Clicking the Assign button will display the Role Activity Scope dialog. Here you need to specify which user accounts can be moved to which OUs by the users or groups selected on the previous step (trustees).

If an assignment includes a user account, the trustees will have the permission to move that user account out of its OU. If an assignment includes an OU, the trustees will have the permission to move users to that OU.

You can select one of the following items:
  • All Objects - select if you want the trustees to be able to move any user account to any OU in any AD domain managed by Adaxes.

  • Specific Domain - select if you want the trustees to be able to move any user account to any OU in the AD domain you specify. When selected, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In the Assignment Options dialog select the All objects in this Domain option and click OK.

    Assignment Options for a Specific Domain

  • OU or Container - select a specific Organizational Unit or container if you want to allow the trustees to either move out the user accounts located under the selected OU/container, or move user accounts to that OU/container. The applied permission will depend on the assignment scope that you will need to specify in the Assignment Options dialog.

    Assignment Options

    To allow the trustees to move user accounts to the selected OU, select This Organizational-Unit object.

    To allow the trustees to move the user accounts located under the selected OU out of this OU, select the Child objects of this Organizational-Unit option.

    To allow moving only the user accounts located directly under the selected OU, enable the Immediate child objects only option.

    If the selected OU has child OUs, the assignment will also allow the trustees to move users to the child OUs. If you don't need that, you can create a separate Security Role that will grant a single permission - Move Objects From Container and assign the role over the OU.
  • Group - select a specific group if you want to allow the trustees to move the user accounts that are members of the group. If you select a group, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In the Assignment Options dialog select the Members of this Group option. To allow moving only the users that are direct members of the selected group, enable the Direct members only option. Click OK.

    Assignment Options

  • Business Unit - select a Business Unit if you want to allow the trustees to move the user accounts that are members of a specific Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.

    Viewing Business Units

    If you select a Business Unit, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In the Assignment Options dialog select the Members of this Business Unit option and click OK.

    Assignment Options

    If the selected Business Unit includes OUs, the assignment will also allow the trustees to move users to the OUs.

Select the object you need and click Add. When finished, click OK.

The assignments will be displayed in the Assignments list. To add assignments to other users or groups, repeat steps 6 and 7. Click Finish.
Distribution of permissions with the help of Security Roles does not modify Active Directory native permissions.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for creating users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts