Content:
Overview of Administrative Units
Administrative Units are sets of queries that can be used to represent administrative boundaries and simplify day-to-day tasks within the Cayosoft Administrator Web Portal. Administrative Portal users must first be delegated the correct role membership to see any of the built-in Administrative Units.
The out-of-the-box Administrative Units include Active Directory, My Organization, Microsoft Office 365, and Self-Service. Additional Administrative Units can be constructed to mirror existing Active Directory Organizational Units (OUs) or to create new types of management boundaries that cut across multiple OUs.
What do Administrative Units do?
-
Control what administrators can see and do within the Administrative Web Portal.
-
Limit administrators to working within one Logical or Geographical scope of a specific platform. For example, limit administrators to managing the objects in a single OU or that are associated with the specific department or office location.
-
Set default values that are used when administrators click an Action. For example, Administrative Units can define the default location for a new User when an administrator clicks the New User action.
The different types of Administrative Units
- Predefined Administrative Unit - these are the built-in Active Directory and Microsoft Office 365 Administrative Units. You can modify the web query settings in these Administrative Units but Cayosoft recommends to create a copy of these Administrative Units and modify them.
-
Custom Administrative Unit – these are Administrative Units that were copied from predefined Administrative Units and their settings were modified. For more information, please see the next Configuration of custom Administrative Units section.
-
Global Administrative Unit – This type of Administrative Unit derives its scope(s) from the Standard Administrative Units delegated to the current administrator. Global Administrative Units allow a delegated admin to perform searches across all of his/her Standard Administrative Units without the need of knowing which Standard Administrative Unit the object can be found. It is often used to simplify the searches performed by a centralized help desk. For more information about Global administrative units, see Configuration of Global Administrative Unit for Global search.
Configuration of custom Administrative Units
To create the management boundaries across multiple OUs structure you need to create custom Administrative Units and configure the web queries inside them.
The scope for the default web queries included in the built-in Active Directory Administrative Unit is set to the default domain. Thus, default web query enumerates all objects in the default domain.
The scope for the custom web queries included in the custom Administrative Unit is defined as the Administrative Unit scope during Administrative Unit creation. So, when you create a custom Administrative Unit, you should specify the scope of the objects that will match the delegation tasks it solves.
Create a New Administrative Unit
-
In the Administrative Console navigate to Admin Units (Web Queries)
Each folder represents an Administrative Unit.
-
Click the Active Directory Administrative Unit (Folder)
-
Click Copy on the Action menu - the Copy Rules Wizard will appear:
-
Enter a name for the Administrative Unit - consider using the Name that administrators will recognize such as the name of the OU or department this Administrative Unit will control.
-
Click Create delegation for Web Administrators
-
Click Change Scope and Defaults
-
Click the button to the right of Limit Scope to this Domain or OU
- Select the OU that will be managed through this Administrative Unit and click OK
- Set default creation locations for Users, Groups, Computers and other objects by repeating the same process for each item in the Action and Picker Scopes section. For more details about these settings, please see AD Users web query article.
-
Click Copy and the new Administrative Unit will appear
-
Assign delegation to the new Administrative Unit (Covered in the next set of steps)
Modify an existing Administrative Unit Web Queries
When you create a custom Administrative Unit, you can set the default folders used by an Administrative Unit by editing the Web Queries associated with the Administrative Unit. For example, if the default OU for a New User created in a specific Administrative Unit must be adjusted, the Active Directory -> AD Users web query would be modified.
-
In the Administrative Console navigate to Admin Units (Web Queries).
-
Expand the Administrative Unit that will be modified to display the Web Queries associated with that Administrative Unit.
-
Select the Web Query that will be modified - the Web Query form will appear on the right
-
Adjust the Web Query settings as needed. For more details about these settings, please see AD Users web query article.
-
Limit scope to this Domain or OU:
This value is known as the Web Query Scope. By default, this value is read from default configuration of the platform covered by this query. Changing this value sets a hard boundary for the query meaning administrators will not be able to manage object outside of this scope.
-
Query Criteria:
Query criteria determine what type of objects are displayed when the Web Query is executed by the admin.
-
More Option:
This section provides a method of changing the Domain Controller against which the Web Query is executed. Normally this will not require modification.
-
Action and Picker Scopes:
This section defines the policy and default values actions will use when they are executed with this Web Query selected. Actions are tasks such as Create New User or Reset Password. Pickers are dialog boxes that allow the admin to browse and select object(s) like an OU when an action requires it. For example, to use the Move command, the admin will use an object picker dialog box to select the destination OU for the object being moved.
- After the default values are changed as needed, Click Save Changes to commit the changes.
Include User Description in Quick Search
-
In the Administrative Console navigate to Admin Units (Web Queries).
-
Expand the Administrative Unit that will be modified to display the Web Queries associated with that Administrative Unit.
-
Select the AD Users Web Query - the Web Query form will appear on the right.
-
Click the button to the right of Query Criteria field:
-
Click Add a Condition at the bottom left of the Define Filter dialog box
-
Change the conditional operator above the new conditions from And to Or
-
In the new condition you added enter:
Description Like $searchValueWithAsterisk
Note: the $searchValueWithAsterisk should be the same string for both the Name and Description conditions.
- Confirm the new condition values
-
Click OK
-
Click Save Changes
Quick Search will now consider the Description Attribute when searching for a user.
Delegate access to Administrative Units
For detailed information on this subject, please see: Role-Based Delegation & Attribute Security
- Navigate to Configuration -> Roles -> Web Administration
- Locate the Delegation with the same name as the Administrative Unit to which you wish to grant access:
-
In the Trustee section, click Add
-
Browse for the user or group that will have access to the Administrative Unit
Note: The Queries and Actions of the Administrative Unit created in the previous set of steps were already added to the new delegation to Trustees permissions section. You can change them if you need to. -
Click OK
-
Click Save Changes at the bottom right to complete the delegation
-
Login to the Cayosoft Web Administrator Portal to verify the Administrative Unit was created as expected
Web query columns customization
Cayosoft Administrator has centralized columns' settings for Active Directory Web queries shared among all Admin Units. You can customize these general columns' settings, or you can redefine them for certain Admin Units.
Default columns for Active Directory queries
To see which columns defined as the default for Active Directory Web queries perform the following steps:
- In Cayosoft Administrator go to HOME > CONFIGURATION > Active Directory
- Open Customize Columns (Web Interface) section
- Here is the list of Active Directory objects queries defined as default
This set of columns is defined by default for all Active Directory Web queries in all Admin Units. You can modify them as you like, change columns names, add more columns or remove some of them. But we recommend saving somewhere the default columns set, in order you can restore defaults for your Web queries.
How to define columns set for a single Web query in Admin Unit
If you need to redefine the columns set for some Active Directory Web query, perform the following steps:
- In Cayosoft Administrator open Web query, you need to modify
- Open More Options section
- Specify columns in Properties to display setting:
- After that in Cayosoft Web Portal browse for Active Directory -> Ad Users query
- You will see specified columns:
If you need to restore default columns, you can always come back to Cayosoft Administrator, open this Web query and select Use Default Columns for AD Users query
Columns formatting
To set the column for Web query to specify object property LDAP name and column name for it - for example mail~Email Address.
It's also possible to specify column width and make the column invisible by default: mail~Email Address~true~25%. True or 1 means that column will be invisible, 25% defines column width.
If the third parameter, true or 1, is not defined, it means that column will be visible in Web Interface.
If the width is not set, all columns will have the same width.
Advanced filtering of sub-OU objects
When Administrative Units are based on Active Directory organizational units (OUs), it may be necessary to include or exclude one or more sub-OUs.
Including multiple Organizational Units to the Admin Unit
Example: suppose, you have multiple departments in your organization, one OU per department and each department has a sub-OU that collects service accounts.
To make management of the service accounts easier, you need to consolidate the service account management into a single admin unit. To do this, you need to create a new admin unit and configure the admin unit's query criteria.
-
Open the configuration and automation console
-
Navigate to Admin Units (Web Queries)
-
Click the Active Directory Administrative Unit
-
Click Copy Rules on the action menu
-
Enter a name for the new administrative unit - Service Accounts
-
Click Copy
-
In the created administrative unit click AD Users query
-
To the far right of the Limit scope to this Domain or OU click the Select button
-
Select the domain that contains OUs with service accounts
-
To the far right of the Query Criteria click the Select button
-
Click Add a condition
-
In the attribute name, paste msDS-parentdistname
-
Select Equal for the operator
-
Paste DN of the first Service Account OU. You can copy it from ADUC, with Advanced Features turned ON, Attribute Editor tab on OU object
-
Repeat steps 11- 14 for other OUs
-
Group all added conditions by Or:
-
To do so click Manage Grouping
-
Click checkboxes near the conditions
-
Click Group
-
{(($searchAttrName -eq $searchValue) -or (Name -like $searchValueWithAsterisk)) -and ((msDS-parentdistname -eq "OU=Service Accounts,OU=MyOU,DC=mydomain,DC=name") -or (msDS-parentdistname -eq "OU=Service Accounts,OU=MyOU,DC=mydomain,DC=name"))}
-
Click OK
-
Click Save Changes
Excluding Built-in and Users default OUs from Search
Example: if you need help desk team to manage all users in the Corp OU (OU=Corp,DC=cayodemo,DC=com), but not be allowed to see or manage user accounts in Service accounts Sub OU (OU=Service Accounts,OU=Corp,DC=cayodemo,DC=com), then you need to configure a filter.
-
Open the configuration and automation console
-
Navigate to Admin Units (Web Queries)
-
Expand the Administrative Unit that will be modified and choose the AD Users web query
-
In the Query section expand the more More Options grouping
-
To the far right of the Filter field click the Select button
-
Below the list, click the select button to the right of Filter Conditions field
-
Click Add a condition
-
Configure the new condition as follows
DistinguishedName NotLike *CN=Builtin,DC=cayodemo,DC=com
-
Repeat step 8 for any additional OU that should be excluded from AD User Search query
-
Click OK
-
Click Save Changes
Object Pickers Overview
Object pickers are the dialog boxes that allow you to browse the underlying system to make selections. For example, when creating a new user, you may want to select an OU or when managing group membership you may want to select a user or group object.
The Select OUs Object Picker
The Select Organization Unit object picker allows the user to select an Active Directory OU. By default, this object picker limits the returned objects to the scope set by the Administrative Unit (a.k.a Web Query Scope).
To make searching for the correct OU easier Cayosoft recommends updating the Display Name of all Organizational units so that the DisplayName contains both the Parent OU name and the name of the OU.
Improving Search by setting OU Display Name
The DisplayName attribute is one of the attributes flagged in Active Directory for use by Ambiguous Name Resolution (ANR) searches.
The DisplayName is using primarily for formatting the name as desired in the on-premises Microsoft Exchange Global Address list. In most customer environments, it is not normally populated for OUs as there is little value in doing so. By updating the DisplayName attribute searching for OUs in a complex OU structure is faster and easier since it essentially makes the relationship between OUs a part of ANR Search.
-
Open the configuration and automation console
-
Click New Rule on the toolbar or Action menu
-
Check Active Directory then click Next
-
Check OUs then click Next
-
Click AD Organizational Units | Set Display Name to Parent and Child
-
Click Next
-
Click Create and Save Report then click Next
-
Chang the label as needed then click Finish - the new rule will be displayed
-
Expand the More Options section
-
Set the Filter to {$_.DisplayName -eq $Null}
-
Validate the Depth is set to Immediate Parent
Immediate Parent option will have a format like London Users
All Parents option will have a format like UK London Users
-
Click Save
-
Preview the Rule to ensure the proper OUs have been targeted
-
Run the rule to update the OU DisplayName attribute of the targeted OUs
Overview of Attribute Policies
In version 4.1.3 and later, Attribute Policies are the preferred method for controlling how users interact with attributes. Attribute Policies control attribute data modification in the following ways:
-
The value is required
-
Minimum and maximum length of an entry
-
Mask that control the format in which the data must be entered
-
Generation option for attributes that are constructed
-
Default value
-
Possible values
-
Label used on dialog boxes
Use attribute policies to set default password
-
Open Cayosoft Administrator console
-
Navigate to Attribute Policies
-
Click the button Add Attribute Policy in the upper right corner
-
Enter the name of the new policy then expand the Policy Details
-
Click Add in the Policy Scope section
-
In the Specify Policy Scope dialog, select the Active Directory admin unit
-
In the Select web query column select AD Users
Note: you can select additional web queries if needed like, AD User Templates, AD Users (Inactive), or AD Users (Locked out) -
In Web Actions, select New User and Clone User
-
Click OK
-
Select the Policy Scope you just created, the second half of the policy will display the attributes within the scope you created
-
In the Attribute policy settings section select Auto-generated password item in Attribute policy settings section, click Edit policy button
-
In Attribute policy for Auto-generated password dialog select checkbox Default Value and set its value as false.
-
Click OK
-
Select Password in Attribute policy settings, click Edit policy button
-
In Attribute policy for P@ssword123 dialog select checkbox Default Value and set its value to which you want to be the default password.
-
Click OK
-
Click Save Changes
Comments
0 comments
Please sign in to leave a comment.