Administrative Units

Content: 

Overview of Administrative Units

Administrative Units are sets of queries that can be used to represent administrative boundaries and simplify day-to-day tasks within the Cayosoft Administrator Web Portal. Administrative Portal users must first be delegated the correct role membership to see any of the built-in Administrative Units.

The out-of-the-box Administrative Units include Active Directory, My Organization, Microsoft Office 365 and Self-Service. Additional Administrative Units can be constructed to mirror existing Active Directory Organizational Units (OUs) or to create new types of management boundaries that cut across multiple OUs.

What do Administrative Units do?

• Control what administrators can see and do within the Administrative Web Portal.

• Limit administrators to working within one Logical or Geographical scope of a  specific platform. For example, limit administrators to managing the objects in a single OU or that are associated with the specific department or office location.

• Set default values that are used when administrators click an Action. For example, Administrative Units can define the default location for a new User when an administrator clicks the New User action.

The different types of Administrative Units

• Predefined Administrative Unit - these are the built-in Active Directory and Microsoft Office 365 Administrative Units. You can modify the web query settings in these Administrative Units but Cayosoft recommends to create a copy of these Administrative Units and modify them.

• Custom Administrative Unit – these are Administrative Units that were copied from predefined Administrative Units and their settings were modified. For more information, please see the next Configuration of custom Administrative Units section.

• Global Administrative Unit – This type of Administrative Unit derives its scope(s) from the Standard Administrative Units delegated to the current administrator. Global Administrative Units allow a delegated admin to perform searches across all of his/her Standard Administrative Units without the need of knowing which Standard Administrative Unit the object can be found. It is often used to simplify the searches performed by a centralized help desk. For more information about Global administrative units, see Configuration of Global Administrative Unit for Global search.

Configuration of custom Administrative Units

To create the management boundaries across multiple OUs structure you need to create custom Administrative Units and configure the web queries inside them.

The scope for the default web queries included in the built-in Active Directory Administrative Unit is set to the default domain. Thus, default web query enumerates all objects in the default domain.

The scope for the custom web queries included in the custom Administrative Unit is defined as the Administrative Unit scope during Administrative Unit creation. So, when you create a custom Administrative Unit, you should specify the scope of the objects that will match the delegation tasks it solves.

Create a New Administrative Unit

1. In the Administrative Console navigate to Admin Units (Web Queries)

   Each folder represents an Administrative Unit.

2. Click the Active Directory Administrative Unit (Folder)

3. Click Copy on the Action menu - the Copy Rules Wizard will appear:
   
   

4. Enter a name for the Administrative Unit - consider using the Name that administrators will recognize such as the name of the OU or department this Administrative Unit will control.

5. Click Create delegation for Web Administrators

6. Click Change Scope and Defaults

7. Click the button to the right of Limit Scope to this Domain or OU

8. Select the OU that will be managed through this Administrative Unit and click OK
   
   
9. Set default creation locations for Users, Groups, Computers and other objects by repeating the same process for each item in the Action and Picker Scopes section. For more details about these settings, please see AD Users web query article.
   
   

10. Click Copy and the new Administrative Unit will appear

11. Assign delegation to the new Administrative Unit (Covered in the next set of steps)

Modify an existing Administrative Unit Web Queries

When you create a custom Administrative Unit, you can set the default folders used by an Administrative Unit by editing the Web Queries associated with the Administrative Unit. For example, if the default OU for a New User created in a specific Administrative Unit must be adjusted, the Active Directory -> AD Users web query would be modified.

1. In the Administrative Console navigate to Admin Units (Web Queries).

2. Expand the Administrative Unit that will be modified to display the Web Queries associated with that Administrative Unit.

3. Select the Web Query that will be modified - the Web Query form will appear on the right

4. Adjust the Web Query settings as needed. For more details about these settings, please see AD Users web query article.

• Limit scope to this Domain or OU:

  This value is known as the Web Query Scope. By default, this value is read from default configuration of the platform covered by this query. Changing this value sets a hard boundary for the query meaning administrators will not be able to manage object outside of this scope.

• Query Criteria:

  Query criteria determine what type of objects are displayed when the Web Query is executed by the admin.

• More Option:

  This section provides a method of changing the Domain Controller against which the Web Query is executed. Normally this will not require modification.

• Action and Picker Scopes:

  This section defines the policy and default values actions will use when they are executed with this Web Query selected. Actions are tasks such as Create New User or Reset Password. Pickers are dialog boxes that allow the admin to browse and select object(s) like an OU when an action requires it. For example, to use the Move command, the admin will use an object picker dialog box to select the destination OU for the object being moved.

5. After the default values are changed as needed, Click Save Changes to commit the changes.

Include User Description in Quick Search

1. In the Administrative Console navigate to Admin Units (Web Queries).

2. Expand the Administrative Unit that will be modified to display the Web Queries associated with that Administrative Unit.
   
   

3. Select the AD Users Web Query - the Web Query form will appear on the right.

4. Click the button to the right of Query Criteria field:
   
   

5. Click Add a Condition at the bottom left of the Define Filter dialog box

6. Change the conditional operator above the new conditions from And to Or

7. In the new condition you added enter:

   Description    Like    $searchValueWithAsterisk
   

   Note: the $searchValueWithAsterisk should be the same string for both the Name and Description conditions.

   
   

8. Confirm the new condition values
   

9. Click OK

10. Click Save Changes

Quick Search will now consider the Description Attribute when searching for a user.

Delegate access to Administrative Units

For detailed information on this subject, please see: Role-Based Delegation & Attribute Security

1. Navigate to Configuration -> Roles -> Web Administration
2. Locate the Delegation with the same name as the Administrative Unit to which you wish to grant access:
   
   

3. In the Trustee section, click Add
   
   

3. Browse for the user or group that will have access to the Administrative Unit

   Note: The Queries and Actions of the Administrative Unit created in the previous set of steps were already added to the new delegation to Trustees permissions section. You can change them if you need to.

4. Click OK

5. Click Save Changes at the bottom right to complete the delegation

6. Login to the Cayosoft Web Administrator Portal to verify the Administrative Unit was created as expected
   
   

Web query columns customization

Cayosoft Administrator has centralized columns' settings for Active Directory Web queries shared among all Admin Units. You can customize these general columns' settings, or you can redefine them for certain Admin Units.

Default columns for Active Directory queries 

To see which columns defined as the default for Active Directory Web queries perform the following steps:

1. In Cayosoft Administrator go to HOME > CONFIGURATION > Active Directory
2. Open Customize Columns (Web Interface) section
3. Here is the list of Active Directory objects queries defined as default

This set of columns is defined by default for all Active Directory Web queries in all Admin Units. You can modify them as you like, change columns names, add more columns or remove some of them. But we recommend saving somewhere the default columns set, in order you can restore defaults for your Web queries.

How to define columns set for a single Web query in Admin Unit

If you need to redefine the columns set for some Active Directory Web query, perform the following steps:

1. In Cayosoft Administrator open Web query, you need to modify
2. Open More Options section
3. Specify columns in Properties to display setting:

4. After that in Cayosoft Web Portal browse for Active Directory -> Ad Users query
5. You will see specified columns: 

If you need to restore default columns, you can always come back to Cayosoft Administrator, open this Web query and select Use Default Columns for AD Users query

Columns formatting

To set the column for Web query to specify object property LDAP name and column name for it - for example mail~Email Address.

It's also possible to specify column width and make the column invisible by default: mail~Email Address~true~25%. True or 1 means that column will be invisible, 25% defines column width.

If the third parameter, true or 1, is not defined, it means that column will be visible in Web Interface.

If the width is not set, all columns will have the same width.

Advanced filtering of sub-OU objects

When Administrative Units are based on Active Directory organizational units (OUs), it may be necessary to include or exclude one or more sub-OUs.

Including multiple Organizational Units to the Admin Unit

Example: suppose, you have multiple departments in your organization, one OU per department and each department has a sub-OU that collects service accounts.

To make management of the service accounts easier, you need to consolidate the service account management into a single admin unit. To do this, you need to create a new admin unit and configure the admin unit's query criteria.

1. Open the configuration and automation console

2. Navigate to Admin Units (Web Queries)

3. Click the Active Directory Administrative Unit

4. Click Copy Rules on the action menu

5. Enter a name for the new administrative unit - Service Accounts

6. Click Copy

7. In the created administrative unit click AD Users query 

8. To the far right of the Limit scope to this Domain or OU click the Select button

9. Select the domain that contains OUs with service accounts

10. To the far right of the Query Criteria click the Select button

11. Click Add a condition

12. In the attribute name, paste msDS-parentdistname

13. Select Equal for the operator

14. Paste DN of the first Service Account OU. You can copy it from ADUC, with Advanced Features turned ON, Attribute Editor tab on OU object

15. Repeat steps 11- 14 for other OUs

16. Group all added conditions by Or:

    1. To do so click Manage Grouping

    2. Click checkboxes near the conditions

    3. Click Group

{(($searchAttrName -eq $searchValue) -or (Name -like $searchValueWithAsterisk)) -and ((msDS-parentdistname -eq "OU=Service Accounts,OU=MyOU,DC=mydomain,DC=name") -or (msDS-parentdistname -eq "OU=Service Accounts,OU=MyOU,DC=mydomain,DC=name"))}

9. Click OK

10. Click Save Changes

Excluding Built-in and Users default OUs from Search

Example: if you need help desk team to manage all users in the Corp OU (OU=Corp,DC=cayodemo,DC=com), but not be allowed to see or manage user accounts in Service accounts Sub OU (OU=Service Accounts,OU=Corp,DC=cayodemo,DC=com), then you need to configure a filter.

1. Open the configuration and automation console

2. Navigate to Admin Units (Web Queries)

3. Expand the Administrative Unit that will be modified and choose the AD Users web query

4. In the Query section expand the more More Options grouping

5. To the far right of the Filter field click the Select button

6. Below the list, click the select button to the right of Filter Conditions field

7. Click Add a condition

8. Configure the new condition as follows

   DistinguishedName       NotLike     *CN=Builtin,DC=cayodemo,DC=com
   
   

9. Repeat step 8 for any additional OU that should be excluded from AD User Search query

10. Click OK

11. Click Save Changes

Object Pickers Overview

Object pickers are the dialog boxes that allow you to browse the underlying system to make selections. For example, when creating a new user, you may want to select an OU or when managing group membership you may want to select a user or group object.

The Select OUs Object Picker

The Select Organization Unit object picker allows the user to select an Active Directory OU. By default, this object picker limits the returned objects to the scope set by the Administrative Unit (a.k.a Web Query Scope).

To make searching for the correct OU easier Cayosoft recommends updating the Display Name of all Organizational units so that the DisplayName contains both the Parent OU name and the name of the OU.

Improving Search by setting OU Display Name

The DisplayName attribute is one of the attributes flagged in Active Directory for use by Ambiguous Name Resolution (ANR) searches.

The DisplayName is using primarily for formatting the name as desired in the on-premises Microsoft Exchange Global Address list. In most customer environments, it is not normally populated for OUs as there is little value in doing so. By updating the DisplayName attribute searching for OUs in a complex OU structure is faster and easier since it essentially makes the relationship between OUs a part of ANR Search.

1. Open the configuration and automation console

2. Click New Rule on the toolbar or Action menu

3. Check Active Directory then click Next

4. Check OUs then click Next

5. Click AD Organizational Units | Set Display Name to Parent and Child

6. Click Next

7. Click Create and Save Report then click Next

8. Chang the label as needed then click Finish - the new rule will be displayed

9. Expand the More Options section

10. Set the Filter to {$_.DisplayName -eq $Null}

11. Validate the Depth is set to Immediate Parent

    Immediate Parent option will have a format like London Users

    All Parents option will have a format like UK London Users

12. Click Save

13. Preview the Rule to ensure the proper OUs have been targeted

14. Run the rule to update the OU DisplayName attribute of the targeted OUs

Overview of Attribute Policies

In version 4.1.3 and later, Attribute Policies are the preferred method for controlling how users interact with attributes. Attribute Policies control attribute data modification in the following ways:

• The value is required

• Minimum and maximum length of an entry

• Mask that control the format in which the data must be entered

• Generation option for attributes that are constructed

• Default value

• Possible values

• Label used on dialog boxes

Use attribute policies to set default password

1. Open Cayosoft Administrator console

2. Navigate to Attribute Policies

3. Click the button Add Attribute Policy in the upper right corner

4. Enter the name of the new policy then expand the Policy Details

5. Click Add in the Policy Scope section

6. In the Specify Policy Scope dialog, select the Active Directory admin unit

7. In the Select web query column select AD Users

   Note: you can select additional web queries if needed like, AD User Templates, AD Users (Inactive), or AD Users (Locked out)

8. In Web Actions, select New User and Clone User

9. Click OK

10. Select the Policy Scope you just created, the second half of the policy will display the attributes within the scope you created

11. In the Attribute policy settings section select Auto-generated password item in Attribute policy settings section, click Edit policy button

12. In Attribute policy for Auto-generated password dialog select checkbox Default Value and set its value as false.

13. Click OK

14. Select Password in Attribute policy settings, click Edit policy button

15. In Attribute policy for P@ssword123 dialog select checkbox Default Value and set its value to which you want to be the default password.

16. Click OK

17. Click Save Changes