Global Virtual Admin Unit for Global Search

Overview

Typically, each group of delegated admins is supplied with a dedicated Virtual Admin Unit, where they have required permissions, which they use to locate and manage users and groups. Sometimes, it is needed to provide a search across all Virtual Admin Units. In this case, Global Virtual Admin Unit needs to be configured.

Global Virtual Admin Unit derives its scopes from the Standard Virtual Admin Units delegated to the current administrator. Global Virtual Admin Units allow a delegated admin to perform searches across all of his Standard Virtual Admin Units without the need of knowing which Standard Virtual Admin Unit the object can be found in. This is often used to simplify the searches performed by a centralized help desk.

Configure Virtual Admin Unit for Global Search

1. In the Cayosoft Administrator Console, navigate to Home > Configuration > Web Portal > Admin Units.

2. Click New Virtual Admin Unit.

3. Specify the Virtual Admin Unit name.

4. Select the following Active Directory web queries:

   1. AD Computers

   2. AD Contacts

   3. AD Users

   4. AD Groups

      

   5. Set Limit scope to this Domain or OU to default value:

      

   6. You can create a default delegation rule for this Admin Unit and add Admin Unit administrators that will be granted full control over all objects included in Admin Unit.

      

   7. Click Finish.

Configure web queries

Enable the Global Search mode and modify the Limit scope setting for each web query that was added to Admin Unit.

NOTE: In global search web queries settings in the following sections are ignored and should be configured in Active Directory web queries that are included in the global search:

• Action and Picker Scopes

• Suspend Policy

• Regional Settings

• Office 365 License Quota

To configure web queries:

1. In the Query section, set the Limit scope to this Domain or OU to Global Search in all Domains.

   

2. In the More Options section, specify the Global Search mode: All enabled domains in all forests or All enabled domains in the home forest:

Delegate access to Standard Virtual Admin Units and their web queries

As Global Virtual Admin Unit derives the scopes from the Standard Virtual Admin Units delegated to the current administrator, you should have delegation configured for each Admin Unit and its web queries that should be included in the Global Virtual Admin Unit.

Delegate access to Global Search Virtual Admin Unit

NOTE: In the Global Admin Unit all commands that create new objects are hidden. In order to create a new object, you should navigate to the corresponding Admin Unit, where you have permission to create this object.

When creating a Virtual Admin Unit, you can create a default delegation rule for this Admin Unit and add Admin Unit administrators that will be granted full control over all objects included in Admin Unit. A delegation rule with the same name as the Global Admin Unit will be created:

1. In the Cayosoft Administrator Console, navigate to Configuration > Roles > Web Administration.

2. Locate the Delegation rule with the same name as the Global Admin Unit.

   All Queries and Actions were already added to the new delegation. This would show all actions when an object is selected in the Global Admin Unit, but some actions would be disabled, according to the delegation over the Admin Units where an object is located. So, all commands are shown according to the delegation on Global Admin Unit and web query but enabled/disabled according to the target object Admin Unit. You can change trustees and their permissions if you need them.

   If you skip this step you can create a delegation rule separately.

Advanced Filtering

Exclude some users from the Global Virtual Admin Unit

If some objects need to be excluded from the Global Virtual Admin Unit, that can be done with

Query Criteria filtering.

For example, you need to exclude all user accounts if their description is "Service account".

1. In the Cayosoft Administrator Console, expand the Global Virtual Admin Unit and choose AD Users Web Query.

2. In the Query section, click Select button in the Query Criteria.

3. Configure the new condition as follows:

Now all user accounts that have Service Account in the description won't be displayed in the Global Search Virtual Admin Unit.

Exclude some OUs from Global Virtual Admin Unit

Global Virtual Admin Unit is based on different Admin Units. It may be necessary to exclude one or more OUs that are included in Virtual Admin Units from the Global Search Virtual Admin Unit.

For example, if the helpdesk should manage all users in the Corp OU (OU=Corp,DC=cayodemo,DC=com), but not be allowed to see or manage user accounts in Service Accounts Sub OU (OU=Service Accounts,OU=Corp,DC=cayodemo,DC=com), then a filter must be applied.

Exclude Service Accounts OU from Global Virtual Admin Unit

1. In the Cayosoft Administrator Console, expand the Global Virtual Admin Unit and select AD Users Web Query.

2. In the Query section, expand the More Options menu.

3. Find Filter and click the Select button.

4. Configure the new condition as follows:

6. Click OK.

7. Click Save Changes.

   Now user accounts from Service Accounts OU won't be displayed in the Global Virtual Admin Unit.

Change History