Content:
Overview
Typically, each group of delegated admins is supplied with a dedicated Administrative Unit, where they have required permissions and which they use to locate and manage users and groups. Sometimes, it is needed to provide a search across all Administrative Units. In this case, Global Administrative Unit needs to be configured.
Global Administrative Unit derives its scopes from the Standard Administrative Units delegated to the current administrator. Global Administrative Units allow a delegated admin to perform searches across all of his Standard Administrative Units without the need of knowing which Standard Administrative Unit the object can be found. This is often used to simplify the searches performed by a centralized help desk.
Configuration of Global Administrative Unit
-
In Cayosoft Administrative Console navigate to Admin Units (Web Queries)
(In web Queries each folder represents an Administrative Unit)
-
Click the Active Directory Administrative Unit
-
Click Copy Rules on the Action menu -> The Copy Rules Wizard will appear
-
Specify a new name - Global search, for example
-
Click Create delegation for Web Administrators
-
In Limit Scope to this Domain or OU select Use scopes from delegated Web Queries (GC Search). This would force Cayosoft Administrator to contact Global Catalog and search across the entire AD forest.
Tip: Change Global Catalog in case automatically selected DC is causing delays and interruptions in Global Search functionality and automation rules.
- In More Options section in Domain Controller select Default Domain Controller (GC)
- Click Copy
Delegate access to Global Administrative Unit
-
In Cayosoft Administrative Console navigate to Configuration > Roles > Web Administration
-
Locate the Delegation rule with the same name as the Global Administrative Unit to which you wish to grant access.
-
In the Trustee section, click Add
-
Browse for the user or group that will have access to the Global Administrative Unit
-
Click OK
-
Click Save Changes to complete the delegation
-
Login to the Cayosoft Web Administrator Portal to verify the Global Administrative Unit was created as expected
Advanced Filtering
Exclude some users from Global Administrative Unit
If some objects need to be excluded from the Global Administrative Unit, that can be done with Query Criteria filtering.
For example, you need to exclude all user accounts if their description is "Service account".
-
In Cayosoft Administrative Console navigate to Admin Units (Web Queries)
-
Expand Global Administrative Unit and choose AD Users Web Query
-
In Query section in Query Criteria click Select button
-
Configure the new condition as follows:
Now all user accounts that have "Service Account" in description won't be displayed in Global Administrative Unit.
Exclude some OUs from Global Administrative Unit
Global Administrative Unit is based on different Administrative Units. It may be necessary to exclude one or more OUs that are included in Administrative Units from Global Administrative Unit.
For example, if help desk should manage all users in the Corp OU (OU=Corp,DC=cayodemo,DC=com), but not be allowed to see or mange user accounts in Service Accounts Sub OU (OU=Service Accounts,OU=Corp,DC=cayodemo,DC=com), then a filter must be applied.
Exclude Service Accounts OU from Global Administrative Unit
-
In Cayosoft Administrative Console navigate to Admin Units (Web Queries)
-
Expand Global Administrative Unit and choose AD Users Web Query
-
In the Query section expand More Options section
-
Find Filter and click Select button
-
Configure the new condition as follows:
-
Click OK
-
Click Save Changes
Now user accounts from Service Accounts OU won't be displayed in Global Administrative Unit.
Comments
0 comments
Please sign in to leave a comment.