My users are complaining that they can't see entire branches of the tree view. We're working on weaning users off ADUC and this is a concern because ADUC users are accustomed to working from the tree view.
Is there a security setting that exposes the tree view branch? Or like file folders, do you have to have "list" security at the root?
Regards,
JonR
Hi jraines
By default Active Roles (unlike AD) does not grant permissions to any users, to any objects within any managed domains. If these users are seeing some objects, this would means that they have already been granted some permissions via Access Templates.
As I don't know how your instance of ARS has been configured, in terms of Access Template Links (the glue that describes WHO has been granted WHAT against WHERE), I can only give you generics based on some assumptions
1) All users who used to use ADUC and are now using ARS' web interface are a member of "Ex-ADUC Users" AD Group in "Domain.com"
2) These users need access to view all objects from Domain.com, and there is no requirement for limited read access to selected object classes.
To apply a delegation of control
1) Open the Active Roles Console (MMC) as an ARS Admin
2) In the navigate pane, expand Active Directory
3) Right click the domain that these users need permissions over, and select "Delegate Control"
4) Click Add
5) If present with "Welcome to the delegation of control wizard" click next, otherwise go to the next step
6) Click Add
7) Enter the "Ex-ADUC Users" group into the bottom box and click check name (or whatever the AD group you're delegating permissions to), then click ok, and next
8) When asked to select an Access Template, Expand Active Directory, and select "All Objects - Read all properties", then click next
9) When prompted for inheritance options, in this instance leave as is, and click next
10) When asked about Permissions propagation, do not check the box, click next
11) Click Finish
12) Click Ok
If you have the "Advanced Details" pane enabled, you'll see an entry similar to the one defined against the "AccessGroup" trustee
Please note, I don't know how your ARS instance is configured, what is currently in place, and if it is appropriate for all these users to be able to see everything. As from the sounds of it, these users have some but limited access currently, and that might be for reasons unknown. Permissions can be granted more granularly than the above (and the above is a very broad brush)..
If in doubt, you could engage professional services for guidance more bespoke to your use case.
Kind regards
Stu
Hi jraines
By default Active Roles (unlike AD) does not grant permissions to any users, to any objects within any managed domains. If these users are seeing some objects, this would means that they have already been granted some permissions via Access Templates.
As I don't know how your instance of ARS has been configured, in terms of Access Template Links (the glue that describes WHO has been granted WHAT against WHERE), I can only give you generics based on some assumptions
1) All users who used to use ADUC and are now using ARS' web interface are a member of "Ex-ADUC Users" AD Group in "Domain.com"
2) These users need access to view all objects from Domain.com, and there is no requirement for limited read access to selected object classes.
To apply a delegation of control
1) Open the Active Roles Console (MMC) as an ARS Admin
2) In the navigate pane, expand Active Directory
3) Right click the domain that these users need permissions over, and select "Delegate Control"
4) Click Add
5) If present with "Welcome to the delegation of control wizard" click next, otherwise go to the next step
6) Click Add
7) Enter the "Ex-ADUC Users" group into the bottom box and click check name (or whatever the AD group you're delegating permissions to), then click ok, and next
8) When asked to select an Access Template, Expand Active Directory, and select "All Objects - Read all properties", then click next
9) When prompted for inheritance options, in this instance leave as is, and click next
10) When asked about Permissions propagation, do not check the box, click next
11) Click Finish
12) Click Ok
If you have the "Advanced Details" pane enabled, you'll see an entry similar to the one defined against the "AccessGroup" trustee
Please note, I don't know how your ARS instance is configured, what is currently in place, and if it is appropriate for all these users to be able to see everything. As from the sounds of it, these users have some but limited access currently, and that might be for reasons unknown. Permissions can be granted more granularly than the above (and the above is a very broad brush)..
If in doubt, you could engage professional services for guidance more bespoke to your use case.
Kind regards
Stu
