Documentation Global Administrative Units
Working with Global Administrative Units
- Working with Global Administrative Units
- █ Overview Global Administrative Units
- █ Configuration of Global Administrative Units
- █ Overview Object Pickers & Global Scope
█ Overview Global Administrative Units
Global Administrative Unit – a collection of queries that are conditionally limited in scope and direct Web Actions to use a Global Catalog Server and thereby can see any object within the forest. When an object is selected form a web query returned from a Global Catalog search, the DN of the object is used to determine what domain controller and service credentials must be used by web actions to perform the required task.
There are no out-of-the-box Global Administrative Units they are constructed by the administrator by first creating a normal Administrative Unit and then configuring it with the Global Scope parameters.
What is the difference between an Administrative Unit and a Global Administrative Units?
- Administrative Unit – a collection of queries that are limited in scope to a specified domain or OU and direct Web Actions to use a specific domain controller for the domain or OU specified in the web query.
- Global Administrative Unit – a collection of queries that are conditionally limited in scope and direct Web Actions to use a Global Catalog Server and thereby can see any object within the forest. When an object is selected form a web query returned from a Global Catalog search, the DN of the object is used to determine what domain controller and service credentials must be used by web actions to perform the required task.
- Global Administrative Unit Scope Merge Mode- When a user is delegated a Global Administrative Unit -AND- one or more normal Administrative Units – results of a search performed in the Global Administrative Unit is limited to the scopes of the delegated normal Administrative Units.
- Delegation of Global Administrative unit alone, means the trustee is only limited by the scope or filters applied to the Global Administrative Unit Search – so if no configuration changes are made the user will have access to all users in the forest that are found in the Global Catalog.
- When a user is delegated both a Global Administrative Unit a normal Administrative Unit(s), the scope(s) from the normal Administrative Unit override the Global Administrative Units scopes so that only objects from within the normal Administrative Unit(s) are accessible to the trustee.
█ Configuration of Global Administrative Units
Create a Global Administrative Unit
- In the Administrative Console navigate to Configuration > Web Interface > Web Queries
(Each folder represents an Administrative Unit)
- Click the Active Directory Administrative Unit (Folder)
- Click Copy Rules on the Action Menu
The Copy Rules Wizard will appear
- Enter a name for the Administrative Unit
(Consider using the Name that administrators will recognize such as the name of the OU or department this Administrative Unit will control)
- Click Create delegation for Web Administrators
- Click Change Scope and Defaults
- Assign delegation to the new Administrative Unit (Covered in the next set of steps)
Delegate Access to Global Administrative Units
For detailed information on this subject see: Role Based Delegation & Attribute Security
NOTE: Global Administrators will have immediate access to all Administrative Unit. To grant access to other administrators specify a group or user in the Trustee section of an individual delegation in the Web Administrator’s Role.
- Navigate to Configuration > Roles > Web Administration
- Locate the Delegation with the same name as the Administrative Unit to which you wish to grant access
- In the Trustee section, click Add
- Browse for the user or group that will have access to the Administrative Unit
Notice the Queries and Actions of the Administrative Unit created in the previous set of steps was already added to the new delegation
- Click OK
- Click Save Changes at the bottom right to complete the delegation
- Login to the Cayosoft Web Administrator Portal to verify the Administrative Unit was created as expected
█ Overview Object Pickers & Global Scope
Object pickers are the dialog boxes that allow you to browse the underlying system to make selections. For example, when creating a new user, you may want to select an OU or when managing group membership you may want to select a user or group object.
Subscribe to Cayosoft
Your Email is safe here.×