0 votes

We want to allow certain users within certain OU's to manage user accounts and the exchange mailboxes of only users within their respected OU. They shouldn't be allowed to see anything else other than what is within their OU. Is there a way to setup one web interface with the same actions but limit the scope based on the OU the logged in user resides in?

by (50 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Update 2018

Starting with Adaxes 2018.1 you can limit access to AD structure in the Web interface by specifying a top level node. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_WebInterfaceCustomization_PreventUsersFromViewingTheADStructure.htm.

Original

Hello,

Yes, you can set up a Web Interface site, in which the scope of the actions depends on who is logged on to the Web Interface. For each action, you can specify a target container where it will be possible to select the objects on which to execute the action. Instead of providing a specific container, you can use a value reference. When the action is executed, the value reference will be replaced with a property value of the user logged on to the Web Interface. In your case, you can use the %adm-PrentDN% value reference. It will be replaced with the Distinguished Name (DN) of the container where the logged in user is located.

To configure an existing Home Page Action:

  1. Launch the Web interface Customization tool.
  2. In the Interface type drop-down list, select the Web Interface you want to configure.
  3. On the General tab, click Configure Home Page Actions.
  4. Select the action you want to configure, for example, Create User, and click Edit.
  5. Activate the Target Container tab.
  6. Enable the Select specific AD container or OU by default option.
  7. Click the Insert a reference to a property value button near the Container DN field.
  8. Click Show all properties and select adm-ParentDN. Click OK.
  9. Select Always use this OU/Container.
  10. Click OK twice.

You can use the same approach to any other actions you need.

You can also configure the Web Interface Active Directory Pane to display only the OU a user can have access to. To learn how to do this, refer to the following tutorial: http://www.adaxes.com/tutorials_WebInte ... ryPane.htm.

On the Step 5 of this tutorial, you need to specify %adm-ParentDN% in the Object DN field.

Related questions

0 votes
1 answer

Is it possible to for security groups that are nested under an OU to inherit that OU's 'Managed By' value? I'd like to grant the OU Owner rights to the security groups ... option is to manually edit each group one by one. Is there a script that automates this?

asked Mar 26, 2020 by sirslimjim (480 points)
0 votes
1 answer

Is it possible to restrict entire OU's from licensing, rather than on a per-object basis? We may have a requirement, due to a corporate merger, to remotely adminster a ... 'd be looking to exclude all OU's but those containing 'our' users etc. Thanks

asked Jan 25, 2017 by firegoblin (1.6k points)
0 votes
1 answer

When configuring web page - under "Object Selection" - you can only choose 1 location (OU) when you select "Allow selecting only AD objects located under" - is there a way to have multiple OUs instead - perhaps using a LDAP filter?

asked Feb 2, 2021 by foleyjm (20 points)
0 votes
1 answer

Hello We are using the Computer Manager security role and have given access to this group of staff to a web console, what I can't get working is getting it to display the ... else like OS, service pack, role are displaying OK. Can you help please? Thank you.

asked Feb 4, 2015 by CBurn (700 points)
0 votes
1 answer

I'm lost as to why "Create User" doesn't show up. I made a new dashboard, mirroring the default Help Desk. Under Actions, I enabled Create User. On the web interface, the option to create a user is not showing. Am I missing a step?

asked May 15 by tromanko (330 points)
3,589 questions
3,278 answers
8,303 comments
548,137 users