0 votes

Hello Adaxes,

I'm trying to figure how i can configure security role for a type of user correctly.

I need the user to be able to create user within his OU (and only within it), but i don't want him to be able to modify the password of the user or anything else after the creation occured, is there a way to achieve that ?

Thanks.

by (460 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Alexandre,

Yes, there is a way to do this, but a Security Role only is not enough to achieve the task. To do that, you need to create a Security Role and a Business Rule. The Security Role will allow users to create new user accounts, and the Business Rule will cancel the operation if a new user is created in an OU other than the users' own OU. To implement this:

I. Create Security Role that allows creating new user accounts

For information on how to create a Security Role that allows creating new user accounts, see the Grant Rights to Create Users Tutorial. On step 8, select All Objects.

II. Create Business Rule that cancels the operation
To create a Business Rule that cancels the operation if a new account is created in another OU than the user's own Organizational Unit:

  1. Create a new Business Rule.

  2. On Step 2 of the Create Business Rule wizard, select User and Before Creating a User.

  3. On Step 3, add the Run a program or PowerShell script action and paste the following script:

     if ("%adm-InitiatorParentDN%" -ine "%adm-ParentDN%")
     {
         $Context.Cancel("You are not allowed to create users outside your Organizational Unit") # TODO: Modify me
     }
    

  4. Enter a short description and click OK.

  5. On the final step, include All Objects in the Activity Scope.

Related questions

0 votes
0 answers

Good afternoon, As our environment has grown we are spending effort to build out security roles for different departments. I would like to grant the IT department access to ... to the "Configuration Objects" but that didn't get the necessary access Thanks!

asked Jun 28, 2016 by strikk (360 points)
0 votes
1 answer

We have a test instance of ADAxes in our testing lab. We are required to create and test security roles in this environment before adding them into production. Is ... back up a specific security role definition and restore from one environment to another?

asked Feb 12, 2012 by BradG (950 points)
0 votes
1 answer

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
0 votes
1 answer

Hello All, is is possible via Adaxes deprovisioning to remove all his Azure and M365 roles besides custom Powershell script? Regards Ivaylo

asked Mar 31, 2023 by ivaylo.valkov (100 points)
0 votes
1 answer

Our adaxes service account is able to create the mailbox when running our create user business rule, but cannot change any settings like disable OWA. What level of security will it need?

asked Apr 6, 2021 by bstone (50 points)
3,548 questions
3,239 answers
8,232 comments
547,814 users