Adaxes

User intiated moves

0 votes

I'm looking to allow users to initiate their own account moves between company sites. Often I've seen employees relocate without notifying the Help Desk. If I can push this task off to the user, then it would put the responsibility for their end user experience (over WAN links) onto them, not IT.

Here's what I'm thinking:

User hits their Self Service portal, and hits a custom action called Change My Work Location, which will trigger an Authorization request to their Manger. Once approved, the account will move to a temporary OU called ToOfficeX (or what ever). User objects in this OU will trigger a nightly scheduled task that will move the user data and Mailbox to the new site. At the end of the task, it would move the user object to the official OfficeX OU and notify the user that the move was complete.

What I can't get to work is the initial user account to move to the destination OU. I get Access Denied, and the logs don't supply any additional info to start digging. I've messed with Self permissions, and OU permissions, but still no luck

Any help would be appreciated!

Thx!

--Joel

by (510 points)
0

The users will need the following permissions in the security role:

you can easily add these two permissions by using the dropdown list on the "add" button:
Choose "Move users between Organizational Units"

by (1.8k points)

1 Answer

0 votes
by (1.8k points)
selected by
Best answer

When i rethink this, the selfservice security role is probably assigned only to give rights to their own object.

You will need to add under "Assignments" authenticated users assigned over the existing OU and the destination OU.
PS: make sure you only give access to "This object only" on the OU's, and not to all objects inside the OU's.

0

Bingo!! That worked!! Thanks a bunch! I knew I was missing a permission somewhere.... I had thrashed about trying this and that.. I had originally tried both settings from your first post to no avail.

I only needed Auth Users as an Assignment on the destination OU, not the Source. I'll have to create 10 or so individual assignments, one for each destination OU, but that's ok. If the Perms were granular to distinguish OUs vs Accounts, then 1 would do. No biggy

Thx again!

--Joel

by (510 points)

Related questions

0 votes
1 answer
How to revoke MFA sessions when user is deprovision?

We are in process of implementing the enforcement of MFA everywhere and would like to add in the deprovision process that we revoke all MFA sessions for that user.

asked Feb 7 by slehne90 (20 points)
0 votes
1 answer
how to allow user to change password reset policy duration from 30 to 10 days

How do I change this policy as well as the information on the self-service password reset webpage from 30 days to 10 days?

asked Jan 30 by farid.r (40 points)
0 votes
1 answer
Entra ID Only Accounts, Creating New User, Set Delay for Custom Attributes

Hello, We are using Adaxes to manage our Cloud Only infrastructure, and one of the problems we have run into is when creating a NEW user, we need to fill out some ... and then write the data meant for the Custom Attributes field when the mailbox is ready?

asked Jan 29 by AvenuesRecovery (70 points)
0 votes
1 answer
Resetting User MFA, how user registers new MFA device?

A User lost device running Microsoft Authenticator. Now user web interface login ends to MFA prompt, but I can't figure out where from a user could ... with allowed Reset Multifactor Authentication and password reset and has enrollet to password reset.

asked Jan 20 by juhota (230 points)
0 votes
0 answers
property patterns for user account

When I upgraded to the 2023 code from 2020.1 One of the issues that I saw was when I updated the UPN, the Logon Name also changed with the name change. This is ... attrutes get set the way we prefer as default but then be able to be changed indepentently?

asked Jan 17 by william.malone (80 points)
3,633 questions
3,321 answers
8,398 comments
548,760 users