Grant rights to create users
To allow users to create new objects in Active Directory or Microsoft Entra domains, you need to grant them appropriate permissions using security roles. In this tutorial, you will learn how to create a security role that grants users the ability to create user accounts.
Permissions granted by security roles are effective only within Adaxes.
-
Launch Adaxes Administration console.
How {id=collapse1}
-
On the computer where Adaxes Administration console is installed, open Windows Start menu.
-
Click Adaxes Administration Console.
-
-
Right-click your Adaxes service, point to New and click Security Role.
-
Enter a name for the new security role and click Next.
-
On the Permissions step, click Add.
-
In the Operations on child objects section, select the Create Child Objects permission in the Allow column.
-
To allow creation of user accounts only, click Select object types and select the User object type.
Optionally, add the Read permission {id=optionally_add_read_permission}
It is a good practice to add the Read permission to all security roles. It will ensure that users have the right to view the objects they manage. By default, the rights to view directory objects are granted by built-in security role Domain user. It is recommended to add the Read permission because the default rights can be changed.
Click OK.
-
Click Next.
-
On the Assignments step, click Add.
-
Select the users and groups to assign the permissions to.
Click Next.
-
Select where you want the users to be able to create new accounts.
Select from the following items:
-
All Objects – select to allow creating user accounts in any organizational unit in any domain managed by Adaxes.
-
Domain – select to allow creating user accounts in any organizational unit within a specific domain and in the domain itself.
-
OU or Container – select to allow creating user accounts in an organizational unit or container.
Assignment options {id=assignment_options_ou}
-
To allow creating user accounts in the selected organizational unit only, select The Organizational Unit object.
-
To allow creating user accounts in the selected organizational unit and in the organizational units located in it, select Objects located in the Organizational Unit. Select One level to include only the organizational units located directly in the selected one.
-
For Microsoft Entra domains, the security role must be assigned over the domain itself, as Microsoft Entra ID has a flat structure i.e. there are no organizational units.
Click Finish to complete the Assign Role wizard.
-
-
Click Finish to complete the Create security role wizard.