Admin Roles
AD Web provides 3 types of admin roles to perform Active Directory administration. In this article we will explain the roles, purpose and example scenarios. These are the 3 roles,
- Super Admin
- Domain Admin
- OU Admin
Each of these roles are simply mapped with an AD Group and the users belong to those groups will have access per their role rights.
Super Admin
A top level admin who will have access to all your Active Directory domains you add under AD Web. The users under this role have no restrictions. Only a group under Primary Domain can be mapped with Super Admin role. This role has no other specification where this is simply a super role.
Domain Admin
The users belong to this role will have access only to this particular Active Directory domain. These are users who will be allowed to manage users, groups and OUs of that particular AD Domain. You can configure a group for each AD Domain when you create a domain or later from the Admin >> Manage Domains page.
The real time scenario is that you host multiple Active Directories for your clients. For example you host each client with a dedicated Active Directory and you want to give access to your client’s administrators to manage their users themselves. Or maybe your branches or departments have specific AD Domain. In this case you can provide access safely via the AD Web. We know none prefers to give access to the domain controller systems but in the meantime it will be painful task to manage your clients’ users especially when they locked out or need password support or so. AD Web ease up this scenario but still keeping your AD domain controller system safe.
Super Admin can always enable/disable access controls from the Admin >> Settings page.
OU Admin
If a user is under this role he can able administrate the other users under the same OU. In real time we mostly use OUs as directories to manage our clients or departments or branches. In that scenario if you want to give make one or more users under that OU as admin to manage the objects within that OU then it is possible. For example if a user belong to OU Admin role and he is under an OU called “ABC Company” then he can manage other users, groups and Sub OUs under his OU “ABC Company”. He can’t do anything with other OU objects.
This is useful when you want to allow department admins or client admins to manage their users themselves. Again as a super admin you can manage the access rights from your admin portal.
Super Admin can always enable/disable access controls from the Admin >> Settings page.
Go to Admin >> Settings page and scroll down where you can control the access rights of each roles. You can flexibly control each actions of user, group and OU.
As per the above settings,
Domain Admins can,
- View, Edit, Create users.
- He can import Bulk users.
- He can reset Password to any users.
- He can unlock any locked users.
- He can’t Delete or Enable, Disable a User.
OU Admins can,
- Only Reset or Unlock the Users.
- He can’t create, edit, delete or any other operations with user objects.
Similar way, you can set access rights to Groups and OU objects.