Content:
Overview
Virtual Admin Units are sets of queries that can be used to represent administrative boundaries and simplify day-to-day tasks within the Cayosoft Administrator Web Portal. Administrative Portal users must first be delegated the correct role membership to see any of the built-in Virtual Admin Units.
The out-of-the-box Virtual Admin Units include Active Directory, Microsoft 365, and Self-Service. Additional Virtual Admin Units can be constructed to mirror existing Active Directory Organizational Units (OUs) or to create new types of management boundaries that cut across multiple OUs.
What do Virtual Admin Units do?
-
Control what administrators can see and do within the Administrative Web Portal.
-
Limit administrators to working within one Logical or Geographical scope of a specific platform. For example, limit administrators to managing the objects in a single OU or that are associated with the specific department or office location.
-
Set default values that are used when administrators click an Action. For example, Virtual Admin Units can define the default location for a new User when an administrator clicks the New User action.
The different types of Administrative Units
- Predefined Virtual Admin Units - these are the built-in Active Directory and Microsoft 365 Virtual Admin Units. You can modify the web query settings in these Virtual Admin Units but Cayosoft recommends creating a copy of these Virtual Admin Units and modifying them.
-
Custom Virtual Admin Unit – these are Virtual Admin Units that were copied from the predefined Virtual Admin Units and their settings were modified. For more information, please see the next Configuration of custom Virtual Admin Units section.
-
Global Virtual Admin Unit – This type of Virtual Admin Unit derives its scope(s) from the Standard Administrative Units delegated to the current administrator. Global Virtual Admin Unit allows a delegated admin to perform searches across all of his/her standard Administrative Units without the need to know which standard Virtual Admin Unit the object can be found in. It is often used to simplify the searches performed by a centralized help desk. For more information about Global Virtual Admin Units, see Configuration of Global Administrative Unit for Global search.
Configuration of custom Administrative Units
To create the management boundaries across multiple OU structures you need to create custom Virtual Admin Units and configure the web queries inside them.
The scope for the default web queries included in the built-in Active Directory Admin Unit is set to the default domain. Thus, the default web query enumerates all objects in the default domain.
The scope for the custom web queries included in the custom Virtual Admin Unit is defined during Administrative Unit creation. So, when you create a custom Virtual Admin Unit, you should specify the scope of the objects that will match the delegation tasks it solves.
Creating a Virtual Admin Unit
When creating a new Virtual Admin Unit, you can:
- Select what web queries you need to have in it: Active Directory, Microsoft 365, or both.
- Limit the scope of Active Directory web queries to domain or OU.
- Define the default location for new object creation.
- Set Additional scopes for object selection in object pickers dialogs and Move scopes.
- Limit the scope of Microsoft 365 web queries to Azure AD Administrative Unit.
- Create a default delegation rule for the created Virtual Admin Unit.
Using Virtual Admin Units allows you to:
- To perform a bulk update of query settings that are included in the Virtual Admin Unit.
- To expand the set of web queries included in the Virtual Admin Unit. You can add web queries that were not added during Virtual Admin Unit creation.
- To copy web queries from one Virtual Admin Unit to another.
To create a New Virtual Admin Unit:
- In Admin Console navigate to Home > Configuration > Web Portal > Admin Units.
- In Actions click New Virtual Admin Unit.
- Specify General settings:
Setting Name Description Virtual Admin Unit name
Description
Specify the Virtual Admin Unit name and description. Membership queries Check membership queries that you want to include in this Virtual Admin Unit.
- Click Next.
- Specify General settings:
Setting Name Description Active Directory Settings Limit scope to this Domain or OU This setting defines the scope of objects to include in each Active Directory web query that was added to the Admin Unit. Action and Picker Scopes Click this link for details. Suspend Configuration Specify new Suspend and Undo Configurations for these object types:
- AD User.
- AD Group.
- AD Computer.
- Microsoft 365 User.
Microsoft 365 Settings Limit scope to this Azure AD Administrative Unit You can limit the scope of Microsoft 365 web queries to the members of the specified Azure AD Administrative Unit.
If the specified Azure AD Administrative Unit doesn't exist it will be created.
Treat selected Azure AD Administrative Unit as container Check this setting if you want the selected Azure AD Administrative Unit to behave like an Active Directory Organizational Unit: when a new member is added to this Azure AD Administrative Unit, the Cayosoft Administrator removes this member from all other Azure AD Administrative Units marked as containers.
You can set if Azure AD Administrative Units should be treated as containers in the Microsoft Office 365 extension.
Suspend Configuration Specify new Suspend and Undo Configurations for these object types:
- Microsoft 365 User.
- Click Next.
- Specify Other settings:
Setting Name Description Create default delegation rule for this Admin Unit Check this setting if you want to create a default delegation rule for the created Admin Unit. Admin Unit administrators You can specify Admin Unit administrators for the created delegation rule. They will be granted full control over all objects included in the Admin Unit. Editing this delegation rule, and adding and removing other rules are available on the Admin Unit screen. - Click Finish.
Adding Query to Virtual Admin Unit
You can add a query to the created custom Virtual Admin Unit:
- In Admin Console select the Virtual Admin Unit you need to modify.
- In Actions click Add Query.
- Select queries to add. You can:
- Filter queries by target system;
- Or search the query by its name.
- Check the queries you need to add to the Virtual Admin Unit.
- Click Ok.
Modifying Queries in Virtual Admin Unit
Usually, web queries that are related to the same target system have the same settings. To avoid modifying the same settings in web queries in custom Virtual Admin Units, you can use the Modify Queries command:
- In Admin Console select custom Virtual Admin Unit.
- In Actions click Modify Queries.
- Select web queries which settings you need to modify.
- Click Next.
- Select the settings that you need to modify.
- Click Next.
- Specify values for the selected settings.
- Click Finish.
Copying custom Virtual Admin Unit
You can create a copy of a custom Virtual Admin Unit with all web queries that it has:
- In Admin Console select the custom Virtual Admin Unit that you want to copy.
- Click Copy.
- Enter the Virtual Admin Unit name.
- Check Create delegation for Web Administrators if you need to create the delegation rule.
- Click Ok.
Copying Query into specified Virtual Admin Unit
If you have a web query that you also need to have in some other custom Virtual Admin Unit, you can copy it:
- In Admin Console select the web query that you want to copy.
- Click Copy Into.
- Select the custom Virtual Admin Unit in which you want to copy this web query.
- Click Ok.
Tabs
Settings
Active Directory Virtual Admin Units
Setting name |
Description |
---|---|
Active Directory Settings | |
Limit scope to this Domain or OU |
This setting defines the scope of objects to include in each Active Directory web query added to the Admin Unit. |
Action and Picker Scopes |
|
Default OU for the new user Default OU for new group Default OU for new computer Default OU for new object |
Specify default OU where new objects will be created when running the corresponding commands from web queries included in this Virtual Admin Unit. By default, the value from the Virtual Admin Unit's Limit scope to this Domain or OU is used. |
Additional Scope(s) for Object Selection |
Use this setting in two primary scenarios:
Object Picker dialog is used on multiple forms. Object Picker dialog appears when selecting an object inside the form. For example, in Add to Groups form when selecting groups, the Properties form when selecting the user's manager, and so on. By default, this setting is empty, and only objects from the scope, specified in the Limit scope to this domain or OU setting, would be listed on Object Picker. To allow delegated administrators to select objects from additional Organizational Units, add those OUs to the Additional Scope(s) for Object Selection setting. Example: Let the AD Users web query scope is limited by OU=OU1,DC=cayo,DC=com. We need to add User1, located in OU1, to Group1, located in OU3, and to groups, located in OU2. In Additional Scope for Object Selection specify the distinguished names: CN=Group1,OU=OU3,DC=cayo,DC=com and OU=OU2,DC=cayo,DC=com. Both these objects are not included in the AD Users web query scope. In this case, when you add a user to a group, you could add this user not only to groups that are located in OU1 but also to Group1 in OU3 and groups located in OU2. You will be able to find and select these groups in the Object Picker dialog. |
Move Scope(s) |
Specify additional scopes to search for Organizational Units on the Object Picker dialog. Object Picker dialog appears when selecting an object inside the form. Object Picker dialog is used on Move forms for Active Directory users, groups, contacts, and computers. By default, this setting is empty, and only OUs from the scope, specified in the Limit scope to this domain or OU setting, would be listed on Object Picker. To allow delegated administrators to move objects to additional Organizational Units, add those OUs to the Move Scope(s) setting. Example: Let the AD Users web query scope is limited by OU=OU1,DC=cayo,DC=com. We need to move User1, located in OU1, to OU2. In Move Scope(s) specify the distinguished name of an additional OU: OU=OU2,DC=cayo,DC=com. This OU is not included in the AD Users web query scope. In this case, when you move a User1 to another OU, you could move this user not only to OUs located in OU1 but also to OU2. You will be able to find and select this OU in the Object Picker dialog. Note: Move scope setting overrides the Limit scope to this Domain or OU setting. You will be able to move computer accounts only to OUs that are specified in the Move Scope setting. The first OU DN value in the list will be the default container for moving.
|
Move Scope(s) Search Depth |
You could select the depth of the moving scope. There are two options:
|
Microsoft 365 Virtual Admin Units
Setting name | Description |
---|---|
Limit scope to this Azure AD Administrative Unit |
You can select Azure AD Administrative Unit to limit the Web Query scope. |
Delegation
The Delegation has a list of Delegation Rules that affect the selected Admin Unit:
- Delegation Rules that have selected Virtual Admin Unit in the scope;
- Delegation Rules that have All Admin Units in the scope.
Click Add Delegation Rule to add a new Delegation Rule that will define which web actions in which web queries in this Virtual Admin Unit will be available for selected trustees.
Click View all Delegation Rules to navigate to Home > Configuration > Roles > Web Administrators and see the general list of Delegation Rules that are configured for all Virtual Admin Units.
You can search Delegation Rules by its name.
For more information about role-based delegation please see the Role-based delegation – Cayosoft Help Center article.
Policy
The Policy tab has a list of Attribute Policies that affect the selected Admin Unit:
- Attribute Policies that have selected Virtual Admin Unit in the scope;
- Attribute Policies that have All Admin Units in the scope.
Click Add Attribute Policy to add a new Attribute Policy that will define visibility and enforcement of attribute data that are displayed on the forms in the Web Portal.
Click View all Attribute Policies to navigate to Home > Configuration > Web Portal > Attribute Policies and see the general list of Attribute Policies that are configured for all Virtual Admin Units.
You can search Attribute Policies by its name.
For more information about Attribute Policies please see the Attribute Policies – Cayosoft Help Center article.
License Profiles
The License Profiles tab has a list of License Profiles that affect the selected Admin Unit:
- License Profiles that have selected Virtual Admin Unit in the scope;
- License Profiles that have All Admin Units in the scope.
Click Add License Profile to add a new License Profile that will define which Microsoft 365 licenses and options should be assigned to users who are in the scope of the selected Virtual Admin Unit.
Click View all License Profiles to navigate to Home > and see the general list of License Profiles that are configured for all Virtual Admin Units.
You can search License Profiles by their name.
For more information about License Profiles please see License Profiles – Cayosoft Help Center article.
Including multiple Organizational Units to the Admin Unit
Example: Suppose, you have multiple departments in your organization, one OU per department and each department has a sub-OU that collects service accounts.
To make the management of the service accounts easier, you need to consolidate the service account management into a single admin unit. To do this, you need to create a new admin unit and configure the admin unit's query criteria.
-
In the Administrator Console navigate to Home > Configuration > Web Portal > Virtual Admin Units.
-
Create a new Active Directory Virtual Admin Unit with AD Users web query.
-
In the created administrative unit click AD Users query.
-
To the far right of the Limit scope to this Domain or OU click the Select button.
-
Select the domain that contains OUs with service accounts.
-
To the far right of the Query Criteria click the Select button.
-
Click Add a condition.
-
In the attribute name, paste msDS-parentdistname.
-
Select Equal as the operator.
-
Paste the DN of the first Service Account OU. You can copy it from ADUC, with Advanced Features turned ON, the Attribute Editor tab on the OU object.
-
Repeat steps 11- 14 for other OUs.
-
Group all added conditions by Or:
-
To do so click Manage Grouping.
-
Click checkboxes near the conditions.
-
Click Group.
-
{(($searchAttrName -eq $searchValue) -or (Name -like $searchValueWithAsterisk)) -and ((msDS-parentdistname -eq "OU=Service Accounts,OU=MyOU,DC=mydomain,DC=name") -or (msDS-parentdistname -eq "OU=Service Accounts,OU=MyOU,DC=mydomain,DC=name"))}
-
Click OK
-
Click Save Changes
Excluding Built-in and User default OUs from Search
Example: If you need the help desk team to manage all users in the domain but not be allowed to see or manage user accounts in the Built-in and Users OUs, then you need to configure a post-filter in the web query.
-
Open the Administrator Console.
-
Navigate to the Active Directory Administrative Unit and choose the AD Users web query.
-
In the Query section expand the more More Options grouping.
-
To the far right of the Filter field click the Select button.
-
Below the list, click the select button to the right of the Filter Conditions field.
-
Click Add a condition.
-
Configure the new condition as follows;
DistinguishedName NotLike *CN=Builtin,DC=cayodemo,DC=com
DistinguishedName NotLike *CN=Users,DC=cayodemo,DC=com -
Click OK.
-
Click Save Changes.
Change History
Version | Notes |
---|---|
10.3.0 | Suspend Configuration section has been added. |
Comments
0 comments
Please sign in to leave a comment.