• State Verified Answer
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 982 views
  • Users 0 members are here
Options
Related

regular users is unable to see AD object through web interface

ngkeith
over 1 year ago

I am trying to implement the request\approval workflow for group membership in our organization. I enabled group owner to the group and the related workflow (builtin Approval by Primary Owner). When I tried to test the workflow by logging in as some regular users, I was unable to see\browse any AD object. I was informed that the "All Object - Read All Properties" access template is required. I checked that it is linked to NT Authority\Authenticated users. Isn't it enough? This is an inherited system and I am getting myself familiar with it.

Thanks

Top Replies

  • +1 over 1 year ago

    Hi  

    To help familiarise you with the product, we've got some overview videos over on YouTube, the playlist is here One Identity Active Roles - Overview - YouTube

    Would you be able to add more details around what you're trying to do, and where? Maybe with some screenshots (you can redact any domain names etc you're not comfortable with sharing).

    I ask, as although what you're asking should be relevantly straight forward to implement; as with everything, the devil is in the details.

    You should be able to  delegated control to the "Active Directory" node, assigning the "All objects - Read all properties" access template, to all "Authenticated Users" or (domain users), which as long as inheritance is correctly set, and the link is not disabled, should grant all those users to via everything under Active Directory node in Active Roles

    The Access Template Link which represents the delegation of control appears like the below (this bottom pane is the Advanced Details pane, selectable from the View menu, this pane includes lots of different information, but in this instance you're interested in the "Active Roles Security" tab, the information displayed will change as you move between objects)

    Double clicking on the Access Template Link we're interested in will show more details related to inheritance, and other more advanced details.

    IE without the delegation of control created (or the access template link disabled), my user "Test User" will not see anything under the Directory object node, whether in the Web Interface, or the MMC.

    With the delegation of control set, my user will see everything from the Active Directory Node and down.

    However, although this will allow the users to see everything, is it appropriate for them to see everything? (Service Accounts, Admin Account, Domain Controllers, etc).

    Kind regards

    Stu

  • 0 over 1 year ago in reply to Stu.Pollock

    Hi Stu, thanks for reply. I was away for few weeks and just got back to work again.

    I followed your instructions (linking the "All objects - Read all properties" access template to the Active Directory container and regular users are able to see\search the AD objects now. It is odd that this is not turn on by default.

    Thanks again.

    Keith