Content:
Overview
Typically, each group of delegated admins is supplied with a dedicated Virtual Admin Unit, where they have required permissions, which they use to locate and manage users and groups. Sometimes, it is needed to provide a search across all Virtual Admin Units. In this case, Global Virtual Admin Unit needs to be configured.
Global Virtual Admin Unit derives its scopes from the Standard Virtual Admin Units delegated to the current administrator. Global Virtual Admin Units allow a delegated admin to perform searches across all of his Standard Virtual Admin Units without the need of knowing which Standard Virtual Admin Unit the object can be found in. This is often used to simplify the searches performed by a centralized help desk.
Configure Virtual Admin Unit for Global Search
- In Admin Console navigate to Home > Configuration > Web Portal > Admin Units.
- Click New Virtual Admin Unit.
- Specify the Virtual Admin Unit name.
- Select the following Active Directory web queries:
- AD Computers
- AD Contacts
- AD Users
- AD Groups
- Set Limit scope to this Domain or OU to default value:
- You can create a default delegation rule for this Admin Unit and add Admin Unit administrators that will be granted full control over all objects included in Admin Unit.
- Click Finish.
Configure web queries
Enable Global Search mode and modify the Limit scope setting for each web query that was added to Admin Unit.
- Action and Picker Scopes
- Suspend Policy
- Regional Settings
- Office 365 License Quota
- In the Query section set the Limit scope to this Domain or OU to Global Search in all domains.
- In the More Options section specify the Global Search mode: All enabled domains in all forests or All enabled domains in the home forest:
Delegate access to Standart Virtual Admin Units and their web queries
As Global Virtual Admin Unit derives the scopes from the Standard Virtual Admin Units delegated to the current administrator, you should have delegation configured for each Admin Unit and its web queries that should be included in the Global Virtual Admin Unit.
Delegate access to Global Search Virtual Admin Unit
When creating a Virtual Admin Unit, you can create a default delegation rule for this Admin Unit and add Admin Unit administrators that will be granted full control over all objects included in Admin Unit. A delegation rule with the same name as the Global Admin Unit will be created:
-
In Cayosoft Admin Console navigate to Configuration > Roles > Web Administration
-
Locate the Delegation rule with the same name as the Global Admin Unit.
All Queries and Actions were already added to the new delegation. This would show all actions when an object is selected in the Global Admin Unit, but some actions would be disabled, according to the delegation over the Admin Units where an object is located. So, all commands are shown according to the delegation on Global Admin Unit and web query but enabled/disabled according to the target object Admin Unit. You can change trustees and their permissions if you need them.
If you skip this step you can create a delegation rule separately.
Advanced Filtering
Exclude some users from the Global Virtual Admin Unit
If some objects need to be excluded from the Global Virtual Admin Unit, that can be done with Query Criteria filtering.
For example, you need to exclude all user accounts if their description is "Service account".
-
In Cayosoft Admin Console expand Global Virtual Admin Unit and choose AD Users Web Query
-
In the Query section in Query Criteria click Select button
-
Configure the new condition as follows:
Now all user accounts that have Service Account in the description won't be displayed in the Global Search Virtual Admin Unit.
Exclude some OUs from Global Virtual Admin Unit
Global Virtual Admin Unit is based on different Admin Units. It may be necessary to exclude one or more OUs that are included in Virtual Admin Units from the Global Search Virtual Admin Unit.
For example, if the helpdesk should manage all users in the Corp OU (OU=Corp,DC=cayodemo,DC=com), but not be allowed to see or manage user accounts in Service Accounts Sub OU (OU=Service Accounts,OU=Corp,DC=cayodemo,DC=com), then a filter must be applied.
Exclude Service Accounts OU from Global Virtual Admin Unit
-
In Cayosoft Admin Console expand Global Virtual Admin Unit and choose AD Users Web Query
-
In the Query section expand the More Options section
-
Find Filter and click Select button
-
Configure the new condition as follows:
-
Click OK
-
Click Save Changes
Now user accounts from Service Accounts OU won't be displayed in the Global Virtual Admin Unit.
Change History
Version | Notes |
---|---|
8.4.0 | Multi-forest management has been added and Global Search has been updated. |
Comments
0 comments
Please sign in to leave a comment.