0 votes

Is it possible to restrict entire OU's from licensing, rather than on a per-object basis?

We may have a requirement, due to a corporate merger, to remotely adminster a subsection of accounts in a '3rd party' AD. As they would still be capable of creating new accounts etc in 'their' bit if we can only filter specific objects we'd need to constantly update, so we'd be looking to exclude all OU's but those containing 'our' users etc.

Thanks

by (1.6k points)

1 Answer

+1 vote
by (294k points)
selected by
Best answer

Hello,

Have a look at the following help article: http://www.adaxes.com/help/?HowDoI.Mana ... ounts.html. You need option Using a Scheduled Task and a script and the following script: http://www.adaxes.com/script-repository ... s-s178.htm.

0

Thanks - very helpful.

That said - the number of users within the AD domain that we will be managing is going to be <5% of the total (less than 1,000 out of 10,'s of thousands). I'm slightly concerned with the script trawling and disabling thousands of objects, rather than the other way - trawling and *enabling* hundreds (if that makes sense).

Do you know the impact on the DC for doing this?

0

Hello,

First of all, the script does not disable any users. It only adds them them to the Unmanaged Accounts list managed internally by Adaxes. Any accounts on that list are completely ignored by Adaxes. You won't be able to view them anywhere in Adaxes, and they are not included in the license count. From the point of view of native Active Directory tools, like ADUC or Exchange, for example, there will be no changes.

Secondly, since you are going to manage only a small portion of accounts in that AD, we can suggest an alternative solution that will suit your needs better. To manage an AD domain with the help of Adaxes, you need to register it. To do this, you need to specify an account whose credentials will be used to access the domain. Adaxes will use the account to perform any operations within the domain using the specified credentials and will be limited by the access permissions of the account you specify.

By default, an account of a domain administrator is required to register a domain, which grants Adaxes the permissions to view the whole domain. However, you can also register a domain using an account who is not an administrator. In your scenario, you can use an account that has permissions to view only the accounts you want to manage with the help of Adaxes. For information on how to enable registering domains using accounts of non-administrators, see the following help article: http://www.adaxes.com/help/?HowDoI.Mana ... mains.html.

0

Many thanks - that sounds like it could be a good alternate plan.

Apologies for using 'disable' rather than 'unmanage' - I was aware that this was the case, it was more about the amount of traffic that it would generate etc.

Rgds

Related questions

0 votes
1 answer

Hi, How would you most elegantly do the following? Every time a request is made to move a computer account into OU XYZ, workflow approval should be sent before the ... computer account is being moved from OU XYZ, it does not need workflow approval. Thanks!

asked Dec 9, 2014 by BradG (950 points)
0 votes
1 answer

Is it possible to for security groups that are nested under an OU to inherit that OU's 'Managed By' value? I'd like to grant the OU Owner rights to the security groups ... option is to manually edit each group one by one. Is there a script that automates this?

asked Mar 26, 2020 by sirslimjim (480 points)
0 votes
1 answer

We want to allow certain users within certain OU's to manage user accounts and the exchange mailboxes of only users within their respected OU. They shouldn't be allowed to see ... same actions but limit the scope based on the OU the logged in user resides in?

asked Dec 11, 2015 by markj0825 (50 points)
0 votes
1 answer

Is there a way to add Microsoft Defender for Office 365 Plan 2 licenses from Adaxes? Currently it is not showing in the list of available licenses to modify. The endpoint ... the E3 license is showing up no problem, just not the standalone one for O365.

asked Aug 20 by Alex23 (50 points)
0 votes
1 answer

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
3,589 questions
3,278 answers
8,303 comments
548,148 users